Domain Name-Based Conservation of Inspection Bandwidth of a Data Inspection and Loss Prevention Appliance

ABSTRACT

The technology disclosed relates to a network security system (NSS) that reduces latency in security enforcement. The NSS comprises a deployer. The deployer periodically updates performance bypass lists deployed to endpoint routing clients running on devices. The performance bypass lists identify exempt connection identifiers that are not subject to routing through a traffic inspection proxy (abbreviated TIP) and being used by the endpoint routing clients to classify incoming connection access requests as non-exempt or exempt. The TIP, in dependence upon the performance bypass list-based classification by the endpoint routing clients, inspects non-exempt incoming connection access requests and applies a policy, and remains agnostic to exempt incoming connection access requests.

PRIORITY DATA

This application is a continuation of U.S. patent application Ser. No.16/738,964, titled “CONSERVING INSPECTION BANDWIDTH OF A DATA INSPECTIONAND LOSS PREVENTION APPLIANCE”, filed Jan. 9, 2020 (Atty. Docket No.NSKO 1007-3), which is a continuation of U.S. patent application Ser.No. 15/958,672, titled “REDUCING LATENCY IN SECURITY ENFORCEMENT BY ANETWORK SECURITY SYSTEM (NSS), filed Apr. 20, 2018 (Atty. Docket No.NSKO 1007-2), which claims the benefit of U.S. Provisional PatentApplication No. 62/488,703, titled “REDUCING LATENCY AND ERROR INSECURITY ENFORCEMENT BY A NETWORK SECURITY SYSTEM (NSS)”, filed on Apr.21, 2017 (Atty. Docket No. NSKO 1007-1). The provisional application isincorporated by reference as if fully set forth herein; and

This application claims the benefit of U.S. patent application Ser. No.15/958,637, titled “REDUCING ERROR IN SECURITY ENFORCEMENT BY A NETWORKSECURITY SYSTEM (NSS)”, filed Apr. 20, 2018 (Atty. Docket No. NSKO1008-1). The nonprovisional application is incorporated by reference asif fully set forth herein.

INCORPORATIONS

The following materials are incorporated by reference as if fully setforth herein:

-   U.S. Nonprovisional patent application Ser. No. 14/198,499, titled    “SECURITY FOR NETWORK DELIVERED SERVICES”, filed on Mar. 5, 2014    (Atty. Docket No. NSKO 1000-2) (now U.S. Pat. No. 9,398,102 issued    on Jul. 19, 2016);-   U.S. Nonprovisional patent application Ser. No. 14/835,640, titled    “SYSTEMS AND METHODS OF MONITORING AND CONTROLLING ENTERPRISE    INFORMATION STORED ON A CLOUD COMPUTING SERVICE (CCS)”, filed on    Aug. 25, 2015 (Atty. Docket No. NSKO 1001-2) (now U.S. Pat. No.    9,928,377 issued on Mar. 27, 2018);-   U.S. Nonprovisional patent application Ser. No. 15/368,240, titled    “SYSTEMS AND METHODS OF ENFORCING MULTI-PART POLICIES ON    DATA-DEFICIENT TRANSACTIONS OF CLOUD COMPUTING SERVICES”, filed on    Dec. 2, 2016 (Atty. Docket No. NSKO 1003-2);-   U.S. Nonprovisional patent application Ser. No. 15/911,034, titled    “SIMULATION AND VISUALIZATION OF MALWARE SPREAD IN A CLOUD-BASED    COLLABORATION ENVIRONMENT”, filed on Mar. 2, 2018 (Atty. Docket No.    NSKO 1012-2);-   Data Loss Prevention and Monitoring in the Cloud” by netSkope, Inc.;-   “The 5 Steps to Cloud Confidence” by netSkope, Inc.;-   “Netskope Active Cloud DLP” by netSkope, Inc.;-   “Repave the Cloud-Data Breach Collision Course” by netSkope, Inc.;-   “Netskope Cloud Confidence Index™” by netSkope, Inc;-   Wikipedia contributors, ‘List of HTTP header fields’, Wikipedia, The    Free Encyclopedia, 17 Apr. 2018, 09:04 UTC,    <https://en.wikipedia.org/w/index.php?title=List_of_HTTP_header_fields&oldid=836864202>    [accessed 19 Apr. 2018];-   Wikipedia contributors, ‘HTTPS’, Wikipedia, The Free Encyclopedia,    17 Apr. 2018, 03:27 UTC,    <https://en.wikipedia.org/w/index.php?title=HTTPS&oldid=836835625>    [accessed 19 Apr. 2018];-   Internet Engineering Task Force, ‘Hypertext Transfer Protocol    (HTTP/1.1): Semantics and Content’. R. Fielding, Ed., J. Reschke,    Ed. June 2014, <https://tools.ietf.org/pdf/rfc7231.pdf> [accessed 19    Apr. 2018];-   Internet Engineering Task Force, ‘Hypertext Transfer Protocol    (HTTP/1.1): Message Syntax and Routing’. R. Fielding, Ed., J.    Reschke, Ed. June 2014, <https://tools.ietforg/pdf/rfc7230.pdf>    [accessed 19 Apr. 2018].

FIELD OF THE TECHNOLOGY DISCLOSED

The technology disclosed relates to reducing latency and error insecurity enforcement by a network security system (NSS), and inparticular, relates to conserving inspection bandwidth of a datainspection and loss prevention appliance (DILPA) of the NSS.

BACKGROUND

Cloud adoption has created new security and compliance issues.Enterprises are struggling to understand the data security andcompliance impact of aggressive employee and organizational adoption ofweb services while also trying to determine how to maintain datasecurity and compliance as their infrastructure moves to the cloud. Thishas made network security systems (NSSs) critical elements of cloudsecurity architectures.

A NSS can be an on-premise or cloud-based security policy enforcementpoint that is placed between web service consumers and web serviceproviders to combine and interject enterprise security policies ascloud-based resources are accessed. For example, Netskope™(www.netskope.com) offers an exemplary NSS. NSSs deliver capabilitiesaround four pillars of functionality: visibility, compliance, datasecurity, and threat protection. Within the data security pillar, dataloss prevention (DLP) is natively included in a NSS. This makes sensegiven the fact that a NSS acts as a control point between users, the webservices they are accessing, and the sensitive data they are consumingand sharing. This is especially important as more than 33% of businessdata now resides in the cloud and it needs to be protected.

Data loss prevention (DLP) solutions provide capabilities to classifysensitive data, generally detecting sensitive data in documents andpreventing unauthorized access, saving or sharing of the sensitive data.DLP solutions identify sensitive data that is mandated by centralpolicies for protection, i.e., sensitivity classification. Identifyingsensitive data entails scanning the documents to detect protectedcontent, a process commonly referred to as the “content sensitivityscan”. Content sensitivity scan is computationally intensive and timeconsuming because it demands content analysis techniques thateffectively identify protected material. Examples of content analysistechniques include pattern-based matching algorithms (for example, foridentifying Social Security numbers or credit card numbers), generatinga fingerprint for an entire file for exact matching, or creating hashesfor specific parts of a file for partial matching.

Due to resource-intensive DLP, NSSs can negatively impact networkperformance and consume significant computational resources. Also, sinceNSSs force all network traffic through a common inspection point, theycan cause network traffic jams and introduce latency. This can result inusers experiencing application slowdowns.

An opportunity arises to reduce latency and error in securityenforcement by a NSS and to conserve inspection bandwidth of a datainspection and loss prevention appliance (DILPA) of the NSS. Better NSSperformance, lower NSS error, improved user experience, higher responsetime, and increased computational efficiency may result.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like reference characters generally refer to like partsthroughout the different views. Also, the drawings are not necessarilyto scale, with an emphasis instead generally being placed uponillustrating the principles of the technology disclosed. In thefollowing description, various implementations of the technologydisclosed are described with reference to the following drawings, inwhich:

FIG. 1 illustrates a block diagram of an example environment in which anendpoint routing client (ERC), running on an on-network managed device,tunnels loss prevention inspectable connection access requests to anetwork security system (NSS) and routes bandwidth conservableconnection access requests to web services.

FIG. 2 shows a block diagram of an example environment in which anon-premise endpoint routing proxy (OPERP), connected to an organizationnetwork of devices, tunnels loss prevention inspectable connectionaccess requests to a NSS and routes bandwidth conservable connectionaccess requests to web services.

FIG. 3 depicts a block diagram of an example environment in which anERC, running on an off-network managed device, tunnels loss preventioninspectable connection access requests to a NSS and routes bandwidthconservable connection access requests to web services.

FIG. 4 is a block diagram of example NSS modules.

FIG. 5 shows a block diagram of example ERC modules.

FIG. 6 depicts a block diagram of example OPERP modules.

FIG. 7 illustrates a block diagram of example sub-modules of a NSSstorage module.

FIG. 8 is a block diagram of example sub-modules of a data inspectionand loss prevention appliance (DILPA) of the NSS.

FIG. 9 illustrates a message sequence chart of reducing latency insecurity enforcement by a NSS using an ERC configured with a client-sidebypass list.

FIGS. 10A and 10B depict a message sequence chart of bypassinginspection of further incoming connection access requests containing aserver name (e.g., server name indication (SNI), HOST header) that hasbeen previously classified as bandwidth conservable.

FIG. 11A shows a message sequence chart of internally bypassing deepinspection of web network responses containing bandwidth conservablecontent.

FIG. 11B illustrates a message sequence chart of internally bypassingdeep inspection of a further incoming connection access request that hasbeen previously classified as bandwidth conservable in a server-sidesupplemental bypass list.

FIG. 11C shows a message sequence chart of bypassing inspection of afurther incoming connection access request that has been previouslyclassified as bandwidth conservable in a client-side supplemental bypasslist.

FIG. 12 is a message sequence chart of internally bypassing deepinspection of a connection access request that invokes a non-HTTPprotocol on a HTTP channel.

FIG. 13 depicts a message sequence chart of internally bypassing deepinspection of a connection access request that invokes a non-HTTPSprotocol on a HTTPS channel.

FIG. 14 shows a message sequence chart of internally bypassing deepinspection of a connection access request that invokes a non-HTTPprotocol on a HTTPS channel.

FIG. 15 illustrates a message sequence chart of bypassing inspection ofa connection access request containing a server name (e.g., server nameindication (SNI), HOST header) that identifies a certificate pinnedapplication.

FIG. 16A is a message sequence chart of bypassing inspection of aconnection access request not containing a server name (e.g., servername indication (SNI), HOST header).

FIG. 16B depicts a message sequence chart of internally bypassing deepinspection of a web network response containing a server name (e.g.,server name indication (SNI), HOST header) that identifies a certificatepinned application.

FIG. 17 illustrates a message sequence chart of internally bypassingdeep inspection of a connection access request containing an erroneouscertificate.

FIG. 18 shows a message sequence chart of reducing latency in securityenforcement by a NSS using an ERC configured with a client-side bypasslist of bandwidth conservable web categories and bandwidth conservabledomain names.

FIG. 19 illustrates a message sequence chart of mandatory inspection ofa connection access request that overrides a bandwidth conservablecategorization of a domain name in the connection access request.

FIG. 20 shows one implementation of metadata information logged forconnection access requests, particularly bypassed connection actionrequests.

FIG. 21 is a simplified block diagram of a computer system that can beused to implement the technology disclosed.

DETAILED DESCRIPTION

The following discussion is presented to enable any person skilled inthe art to make and use the technology disclosed, and is provided in thecontext of a particular application and its requirements. Variousmodifications to the disclosed implementations will be readily apparentto those skilled in the art, and the general principles defined hereinmay be applied to other implementations and applications withoutdeparting from the spirit and scope of the technology disclosed. Thus,the technology disclosed is not intended to be limited to theimplementations shown, but is to be accorded the widest scope consistentwith the principles and features disclosed herein.

The detailed description of various implementations will be betterunderstood when read in conjunction with the appended drawings. To theextent that the figures illustrate diagrams of the functional blocks ofthe various implementations, the functional blocks are not necessarilyindicative of the division between hardware circuitry. Thus, forexample, one or more of the functional blocks (e.g., modules,processors, or memories) may be implemented in a single piece ofhardware (e.g., a general purpose signal processor or a block of randomaccess memory, hard disk, or the like) or multiple pieces of hardware.Similarly, the programs may be stand-alone programs, may be incorporatedas subroutines in an operating system, may be functions in an installedsoftware package, and the like. It should be understood that the variousimplementations are not limited to the arrangements and instrumentalityshown in the drawings.

The processing engines and databases of the figures, designated asmodules, can be implemented in hardware or software, and need not bedivided up in precisely the same blocks as shown in the figures. Some ofthe modules can also be implemented on different processors, computers,or servers, or spread among a number of different processors, computers,or servers. In addition, it will be appreciated that some of the modulescan be combined, operated in parallel or in a different sequence thanthat shown in the figures without affecting the functions achieved. Themodules in the figures can also be thought of as flowchart steps in amethod. A module also need not necessarily have all its code disposedcontiguously in memory; some parts of the code can be separated fromother parts of the code with code from other modules or other functionsdisposed in between.

INTRODUCTION

Employees now rely on web services to perform business-criticalfunctions, and they routinely upload sensitive and regulated data to theweb. A network security system (NSS), such as the one offered byNetskope™, intercepts network traffic in real-time to prevent loss ofsensitive data by inspecting data en route to or from web services anddata resident in the web services. NSS includes a data inspection andloss prevention appliance (DILPA) that uses a combination of deepapplication programming interface inspection (DAPII), deep packetinspection (DPI), and log inspection to monitor user activity andperform data loss prevention (DLP). DILPA achieves DLP by subjectingdata packets to content inspection techniques like language-aware dataidentifier inspection, document fingerprinting, file type detection,keyword search, pattern matching, proximity search, regular expressionlookup, exact data matching, metadata extraction, and language-agnosticdouble-byte character inspection.

In the context of this application, data loss prevention (DLP) refers toprotecting exfiltration of data deemed sensitive or confidential by oneor more security policies. Some examples of sensitive data are paymentCard information (PCI), personally-identifiable information (PII), andelectronic personal health information (ePHI)). In the context of thisapplication, data loss prevention (DLP) also refers to endpoint securitywhich involves protecting endpoints from cyber-attacks such as malwareand ransomware and in turn preventing exfiltration of sensitive datafrom the endpoints.

In the context of this application, the data inspection and lossprevention appliance (DILPA) inspects data that is encoded in networkpackets and/or higher order encodings of the network packets such assecure sockets layer (SSL) and/or transport layer security (TLS)handshakes and Hypertext Transfer Protocol (HTTP) transactions.

Deep inspection by the DILPA, however, introduces routing and processinglatencies. Latency in routing occurs because the network traffic istunneled through an additional hop in the network, i.e., the DILPA.Latency in processing occurs because the network traffic is subjected tothe different content inspection techniques discussed above.Furthermore, deep inspection imposes a substantial computational burdenon the DILPA, as part of the overall network security.

The NSS includes a decrypter that facilitates inspection of HTTP andHTTPS network streams. During stream inspection, decrypter decrypts thedata packets flowing in and out of the network and makes them availableto the DILPA for deep inspection. After deep inspection by the DILPA iscomplete, decrypter re-encrypts the data packets and sends them to theirintended destination. Though less than deep inspection, streaminspection also increases latency and consumes considerable amount ofcomputational resources.

The technology disclosed relates to reducing latency in DLP by the NSS.There exists a class of rich content traffic that has high latencyrequirements but low DLP value. Consider the example of recreationaltraffic like live-streaming and on-demand videos. Each video stream cangenerate between 200 kbps and 1.5 mbps of network traffic. On-demandclips are measured in megabytes and gigabytes. Inspecting such highvolume, rich content traffic exacerbates latency and challengescomputational limitations of the NSS. This results in diminished userexperience, with negligible or no DLP gains.

Client-Side, Non-Intercepting Complete Bypass

In a client-side implementation, the technology disclosed configures anendpoint routing client (ERC) running on an endpoint device with abypass list of bandwidth conservable (BC) destination identifiers. Inthis context, to “bypass” a connection access request means to forwardpackets of the request directly to a destination web service serverwithout at all intercepting the connection access request at the NSS,which is interposed between the endpoint device and the destination webservice server as a policy enforcement intermediary. As a result, thepackets are not made available to the decrypter or to the DILPA.

Bandwidth conservable destination identifiers specify rich contentsources using identifiers like domain names, unified resource locators(URLs), web categories, and server names (e.g. server name indications(SNIs), HOST headers). ERC classifies incoming connecting accessrequests as “loss prevention inspectable (LPI)” or “bandwidthconservable” by comparing them against entries in the client-side bypasslist. ERC tunnels loss prevention inspectable requests to the NSS over asecure encrypted channel for policy enforcement. ERC forwards bandwidthconservable requests to the destination web service servers, bypassingpolicy enforcement by the NSS and thereby avoiding resource-intensiveinspection by the decrypter and the DILPA.

Server-Side, Intercepting Internal Bypass

Different than the client-side implementation, in a server-sideimplementation, the connection access request is intercepted by the NSS.Here, the technology disclosed uses a server-side bypass list(s) toensure that rich content traffic is not subjected to content inspectionby the NSS. When the ERC naively classifies a bandwidth conservableconnection access request as loss prevention inspectable and tunnels therequest to the NSS (i.e., the request is intercepted by the NSS), anetwork gateway (e.g., proxy gateway, generic routing encapsulation(GRE) gateway, and/or internet protocol security (IPSec) gateway)receives the request and extracts a sever name contained in the request.In HTTPS implementations, the server name is specified as server nameindication (SNI). SNI is a cleartext field that specifies a hostname ofthe destination web service server. In HTTP implementations, the servername is specified as the HOST header. The server-side bypass listidentifies bandwidth conservable server names of rich content sources.NSS compares the extracted server name to entries in the server-sidebypass list and reclassifies the request as loss prevention inspectableor bandwidth conservable. If the request is reclassified as lossprevention inspectable, the network gateway forwards it to the decrypterfor stream inspection, followed by deep inspection by the DILPA. If therequest is reclassified as bandwidth conservable, the network gatewayforwards it to the destination web service server, bypassing inspectionby the decrypter and the DILPA. Since the request is intercepted by theNSS but not passed on or transferred to other processing modules of theNSS such as the decrypter and the DILPA, it is referred to as an“internal bypass”.

In another server-side implementation of internal bypass, consider ascenario where the ERC misclassifies a bandwidth conservable connectionaccess request as loss prevention inspectable and tunnels the request tothe NSS. The misclassification can result from the client-side bypasslist not having an entry for the bandwidth conservable request or fromthe bandwidth conservable request being encoded in a loss preventioninspectable connection identifier. Being unware of the bandwidthconservable nature of the bandwidth conservable request, the NSSsubjects the bandwidth conservable request to stream inspection by thedecrypter and deep inspection by the DILPA. If the applicable policyallows, the NSS then forwards the bandwidth conservable request to thedestination web service server.

The response from the destination web service server is received by thedecrypter. decrypter inspects the packet headers in the response anddetermines whether the response includes data packets belonging to abandwidth conservable content type. The determination is made bymatching a content type identified by the packet headers against aserver-side bypass list of bandwidth conservable content types that arenot subject to deep inspection by the DILPA. If the packet headersidentify a bandwidth conservable content type, the decrypter forwardsthe response to the endpoint device, bypassing deep inspection by theDILPA. This is also referred to as “internal bypassing”.

To ensure that further incoming bandwidth conservable requests are notmisclassified as loss prevention inspectable, the technology disclosedgenerates a so-called “supplemental bypass list” in response to theinternal bypassing. The supplemental bypass list contains a bandwidthconservable connection identifier that identifies the bandwidthconservable request as bandwidth conservable. The bandwidth conservableconnection identifier can be a domain name, a URL, and a server name(e.g. SNI, HOST header). The supplemental bypass list is then deployedto the ERC for subsequent client-side bypassing of further incomingrequests having the same domain name or URL or containing the sameserver name (e.g., server name indication (SNI), HOST header) as thepreviously misclassified bandwidth conservable request. This is referredto as “dynamic deployment”. Dynamic deployment can occur in real-time,immediately following the internal bypassing, or can be scheduled tooccur periodically. In implementations, the supplemental bypass list isalso maintained at the NSS for server-side bypassing.

Error Reduction

The technology disclosed also relates to reducing error in securityenforcement by the NSS. It does so by preventing deep inspection by theDILPA of certain connection preserving protocols and certificate pinnedapplications when they are invoked on Hypertext Transfer Protocol (HTTP)and Hypertext Transfer Protocol Secure (HTTPS) channels. The NSSmonitors network traffic over standard HTTP and HTTPs ports like port 80and port 443. Typically, the DILPA is set up to handle only HTTP andHTTPS traffic and blocks all non-HTTP and non-HTTPS traffic. Thisapproach does not work well because many of the popular web services andpeer-to-peer applications like Skype™ and Kazaa™ use port 80 and port443 to pass non-HTTP and non-HTTPs traffic. User experience suffers whensuch web services and applications are blocked.

To solve this problem, the technology disclosed uses the decrypter todetect non-HTTP and non-HTTPS requests over HTTP and HTTPs channels andforwards such requests to the destination web service servers,preventing connection termination and error generation by the NSS due tounsupported known protocols.

The NSS also detects requests from certificate pinned applications anddirectly forwards them the destination application servers withoutterminating or closing the connection or producing an error condition.Certificate pinned applications, such as Dropbox™ native application,Microsoft Outlook™, AirWatch™, Barclays mobile banking app™, Twitter™,and WhatsApp™, are pre-configured to only trust the destination webservice servers and do not trust a certificate of the NSS. When requestsfrom certificate pinned applications are tunneled to the NSS, theapplications refuse to establish a connection with the NSS due to thelack of trust. In response, the NSS could potentially block suchrequests, resulting in diminished user experience.

To solve this problem, the technology disclosed uses the network gatewayto extract a server name (e.g., server name indication (SNI), HOSTheader) contained in a request. The extracted server name is looked upin a bypass list (e.g., error bypass list) to determine whether therequest was initiated by a certificate pinned application. If so, thenetwork gateway forwards the request to the destination web serviceserver, preserving the connection and avoiding error generation due tounsupported known protocols.

In some cases, the decrypter uses a server name (e.g., server nameindication (SNI), HOST header) contained in a response to determinewhether the response was sent by a certificate pinned application. Ifso, the decrypter forwards the response to the endpoint device,preserving the connection and avoiding error generation due tounsupported known protocols.

As used herein, the term “data loss prevention inspectable” can refer tothe term “non-exempt” and the terms “bandwidth conservable” and“connection preserving” can refer to the term “exempt”.

Environments

We describe systems, methods, and articles of manufacture that reducelatency and error in security enforcement by a network security system(NSS). FIGS. 1-3 show an architectural level schematic of exampleenvironments 100, 200, and 300 in which the technology disclosed can beused. Because FIGS. 1-3 are architectural diagrams, certain details areintentionally omitted to improve clarity of the description.

The discussion of FIGS. 1-3 will be organized as follows. First, theelements of the figures will be described, followed by theirinterconnections. Then, the use of the elements in the system will bedescribed in greater detail. Wherever practicable, similar or likereference characters are used in the drawings to indicate similar orlike functionality.

FIG. 1 illustrates a block diagram of an example environment 100 thatincludes an endpoint routing client (ERC) 104 running on an on-networkmanaged device 102. See the discussion of FIG. 5 for additional examplemodules of the ERC 104. Device 102 is connected to the public network(s)115 through an organization network(s) 113. Environment 100 alsoincludes a network security system (NSS) 120 and a secure encryptedchannel 118 for communicating with the NSS 120. See the discussion ofFIG. 4 for additional example modules of the NSS 120. Environment 100also includes web services (WSs) 150 like YouTube™, Facebook™, andDropbox™ that run on web service servers like web service server 152,web service server 154, and web service server 156.

FIG. 2 illustrates a block diagram of an example environment 200 thatincludes an on-premise endpoint routing proxy (OPERP) 204. See thediscussion of FIG. 6 for additional example modules of the OPERP 204.OPERP 204 is connected to the organization network(s) 113 that includeson-premise devices 202 a-202 n. OPERP 204 is further connected to thepublic network(s) 115, which it uses to communicate with the NSS 120 andthe web services 150.

FIG. 3 illustrates a block diagram of an example environment 300 inwhich the ERC 104 runs on an off-network managed device 302. Device 302is a so-called “bring your own device” (BYOD) that is outside thepurview of the organization network(s) 113 and directly connected to thepublic network(s) 115. Device 302 uses the public network(s) 115 tocommunicate with the NSS 120 and the web services 150.

The interconnection of the elements of environments 100, 200, and 300will now be described. The public network(s) 115 couples the devices102, 202 a-202 n, and 302, the NSS 120, and the web services 150, all incommunication with each other (indicated by solid double-arrowed lines).The actual communication path can be point-to-point over public and/orprivate networks. Some items, such as ERC 104, might be deliveredindirectly, e.g., via an application store (not shown). Thecommunications can occur over a variety of networks, e.g., privatenetworks, VPN, MPLS circuit, or Internet, and can use appropriateapplication programming interfaces (APIs) and data interchange formats,e.g., Representational State Transfer (REST), JavaScript Object Notation(JSON), Extensible Markup Language (XML), Simple Object Access Protocol(SOAP), Java Message Service (JMS), and/or Java Platform Module System.All of the communications can be encrypted. The communication isgenerally over a network such as the LAN (local area network), WAN (widearea network), telephone network (Public Switched Telephone Network(PSTN), Session Initiation Protocol (SIP), wireless network,point-to-point network, star network, token ring network, hub network,Internet, inclusive of the mobile Internet, via protocols such as EDGE,3G, 4G LTE, Wi-Fi, and WiMAX. Additionally, a variety of authorizationand authentication techniques, such as username/password, OpenAuthorization (OAuth), Kerberos, SecureID, digital certificates andmore, can be used to secure the communications.

Devices 102, 202 a-202 n, and 302 can be desktop computers, laptops,tablet computers, mobile phones, or any other type of computing devices.The engines or system components of environments 100, 200, and 300 suchas the OPERP 204 and the NSS 120 are implemented by software running onvarying types of computing devices. Example devices are a workstation, aserver, a computing cluster, a blade server, and a server farm.

Having described the elements of FIGS. 1-3 and their interconnections,elements of the figures will now be described in greater detail.

Web Services

In FIGS. 1-3, three web services are shown, however, it is understoodthat environments 100, 200, and 300 can include any number of webservices. Web services 150 can be news websites, blogs, video streamingwebsites, social media websites, hosted services, cloud applications,cloud stores, cloud collaboration and messaging platforms, and/or cloudcustomer relationship management (CRM) platforms. They can be a networkservice or application, or can be web-based (e.g., accessed via a URL)or native, such as sync clients. Examples include software-as-a-service(SaaS) offerings, platform-as-a-service (PaaS) offerings, andinfrastructure-as-a-service (IaaS) offerings, as well as internalenterprise applications that are exposed via URLs. Examples of commonweb services today include YouTube™, Facebook™ Twitter™, Google™,Linkedln™, Wikipedia™, Yahoo™, Baidu™, Amazon™, MSN™ Pinterest™,Taobao™, Instagram™, Tumblr™, eBay™, Hotmail™, Reddit™ IMDb™, Netflix™,PayPal™, Imgur™, Snapchat™, Yammer™, Skype™, Slack™, HipChat™Confluence™, TeamDrive™, Taskworld™, Chatter™, Zoho™, ProsperWorks™,Google's Gmail™, Salesforce.com™, Box™, Dropbox™, Google Apps™, AmazonAWS™, Microsoft Office365™, Workday™, Oracle on Demand™, Taleo™, Jive™,and Concur™

Web services 150 often publish their application programming interfaces(APIs) to allow a third party to communicate with them and utilize theirunderlying data. An API refers to a packaged collection of codelibraries, routines, protocols methods, and fields that belong to a setof classes, including its interface types. The API defines the way thatdevelopers and programmers can use the classes for their own softwaredevelopment, just by importing the relevant classes and writingstatements that instantiate the classes and call their methods andfields. An API is a source code-based application intended to be used asan interface by software components to communicate with each other. AnAPI can include applications for routines, data structures, objectclasses, and variables. Basically, an API provides an interface fordevelopers and programmers to access the underlying data, platformcapabilities, and features of web services. Implementations of thetechnology disclosed use different types of APIs, including web serviceAPIs such as HTTP or HTTPs based APIs like SOAP, WSDL, Bulk, XML-RPC andJSON-RPC and REST APIs (e.g., Flickr™, Google Static Maps™, GoogleGeolocation™), web socket APIs, library-based APIs like JavaScript andTWAIN (e.g., Google Maps™ JavaScript API, Dropbox™ JavaScript Data storeAPI, Twilio™ APIs, Oracle Call Interface (OCI)), class-based APIs likeJava API and Android API (e.g., Google Maps™ Android API, MSDN ClassLibrary for .NET Framework, Twilio™ APIs for Java and C#), OS functionsand routines like access to file system and access to user interface,object remoting APIs like CORBA and .NET Remoting, and hardware APIslike video acceleration, hard disk drives, and PCI buses. Other examplesof APIs used by the technology disclosed include Amazon EC2 API™, BoxContent API™, Box Events API™, Microsoft Graph™, Dropbox API™, DropboxAPI v2™, Dropbox Core API™, Dropbox Core API v2™, Facebook Graph API™,Foursquare API™, Geonames API™, Force.com API™, Force.com Metadata API™,Apex API™, Visualforce API™, Force.com Enterprise WSDL™, Salesforce.comStreaming API™, Salesforce.com Tooling API™, Google Drive API™, DriveREST API™, AccuWeather API™, and aggregated-single API like CloudRail™API.

Having described the web services 150 and their APIs, the discussion nowturns to the NSS 120.

Network Security System (NSS)

FIG. 4 is a block diagram of example modules 400 of the NSS 120. NSS 120provides a variety of functionalities including providing a data plane410, a management plane 420, and a storage 460. See the discussion ofFIG. 7 for additional example modules of the storage 460. Otherfunctionalities, e.g., a control plane (not shown), may also beprovided. These functionalities collectively provide secure networkaccess to the web services 150 by devices 102, 202 a-202 n, and 302.More generally, the NSS 120 provides application visibility and controlfunctions as well as security. For further information regarding thefunctionalities of the NSS 120, reference can be made to, for example,commonly owned U.S. patent application Ser. Nos. 14/198,499; 14/198,508;14/835,640; 14/835,632; and 62/307,305; Cheng, Ithal, Narayanaswamy, andMalmskog. Cloud Security For Dummies, Netskope Special Edition. JohnWiley & Sons, Inc. 2015; “Netskope Introspection” by Netskope, Inc.;“Data Loss Prevention and Monitoring in the Cloud” by Netskope, Inc.;“Cloud Data Loss Prevention Reference Architecture” by Netskope, Inc.;“The 5 Steps to Cloud Confidence” by Netskope, Inc.; “The NetskopeReactive Platform” by Netskope, Inc.; “The Netskope Advantage: Three“Must-Have” Requirements for Cloud Access Security Brokers” by Netskope,Inc.; “The 15 Critical NSS Use Cases” by Netskope, Inc.; “NetskopeReactive Cloud DLP” by Netskope, Inc.; “Repave the Cloud-Data BreachCollision Course” by Netskope, Inc.; and “Netskope Cloud ConfidenceIndex™” by Netskope, Inc., which are incorporated by reference for allpurposes as if fully set forth herein.

The network security system (NSS) 120 can be implemented on-premise (asindicated by dotted lines in FIGS. 1-2) or can be cloud-based (asindicated by solid lines in FIGS. 1-3).

NSS 120 also includes a redirector 402 for routing network traffic.Redirector 402 includes a proxy gateway 404 and a generic routingencapsulation (GRE) and/or internet protocol security (IPSec) gateway406. In some implementations, proxy gateway 404 and GRE and/or IPSecgateway 406 route incoming connection access requests to the data plane410. In other implementations, proxy gateway 404 and GRE and/or IPSecgateway 406 route incoming connection access requests to the webservices 150. Proxy gateway 404 receives network traffic from manageddevices like device 102 and 302 and from OPERP 204. GRE and/or IPSecgateway 406 receives network traffic from a central network device(e.g., Cisco™ or Juniper™ router) of an organization network. Inimplementations, one or both of the proxy gateway 404 and the GRE and/orIPSec gateway 406 are not part of the NSS 120 and instead route traffictowards or away from the NSS 120.

Data plane 410 includes a decrypter 412, a data inspection and lossprevention appliance (DILPA) 414, and an introspector 416. See thediscussion of FIG. 8 for additional example modules of the DILPA 414.

Decrypter 412 de-encrypts the data packets flowing in and out of the NSS120 and makes them available to the DILPA 414 for deep inspection. Afterdeep inspection by the DILPA 414 is complete, decrypter 412 re-encryptsthe data packets and sends them to their intended destination.

Regarding DILPA 414, FIG. 8 shows a block diagram of example sub-modules800 of the DILPA 414. DILPA 414 is interposed between the devices 102,202 a-202 n, and 302 and the web services 150. In some implementations,DILPA 414 is a cloud-based data inspection and loss prevention appliance(CBDILPA). In other implementations, DILPA 414 is an on-premise datainspection and loss prevention appliance (ONDILPA). DILPA 414 comprisestransaction inspection rules 802, deep API inspector 812, contentinspection rules 822, deep packet inspector 832, log inspection rules842, log inspector 852, and security enforcer 862. DILPA 414 uses itssub-modules 800 to apply deep API inspection (DAPII), deep packetinspection (DPI), and log inspection on the network traffic traversingthe public network(s) 115 to and from the web services 150.

DILPA 414 uses DAPII to detect web transactions in real-time, includingcalls made to the web services 150. The web transactions are decomposedto identify the activity being performed and its associated parameters.In one implementation, the web transactions are represented as JSONfiles, which identify a structure and format that allows the DILPA 414to both interpret what actions a user is performing in the web serviceas it is happening. So, for example, DILPA 414 can detect for anorganization that “Joe from Investment Banking, currently in Japan,shared his M&A directory with an investor at a hedge fund at 10 PM”.

DILPA 414 uses DPI to perform data loss prevention (DLP). DILPA 414achieves this by subjecting the data packets to content inspectiontechniques like language-aware data identifier inspection, documentfingerprinting, file type detection, keyword search, pattern matching,proximity search, regular expression lookup, exact data matching,metadata extraction, and language-agnostic double-byte characterinspection.

DILPA 414 uses log inspection to monitor user activity and detect theweb services interfacing with the organization network(s) 113. DILPA 414does so by analyzing the event logs generated by from perimeternetworking infrastructure such as firewalls and secure web gateways.

DILPA 414 uses security enforcer 862 to take action on the incomingconnections access requests, such as blocking sharing of a file,preventing upload of a file, preventing download of a file, quarantiningfiles, providing coaching, seeking justification, and so on.

Introspector 416 is not proxy driven, rather it interacts directly withthe web services 150 using secure APIs published by the web services 150to control application behaviors and content residing in the webservices 150. It inventories both content and users of that content. Ina polling mode, introspector 416 calls the web services 150 using APIconnectors to crawl data resident in the web services 150 and check forchanges. As an example, Box™ storage application provides an admin APIcalled the Box Content API™ that provides visibility into anorganization's accounts for all users. The introspector 416 polls thisAPI to discover any changes made to any of the accounts. If so, the BoxEvents API™ is polled to discover the detailed data changes. In acallback model, the introspector 416 registers with the web services 150via API connectors to be informed of any significant events. Forexample, the introspector 416 can use Microsoft Office365 Webhooks API™to learn when a file has been shared externally. Like the DILPA 414,introspector 416 also has deep API inspection (DAPII), deep packetinspection (DPI), log inspection, and security enforcement capabilities.

One result of the inspection by the data plane 410 is generation ofmetadata 752 about the content, the users, and the users' interactionwith the content. Metadata 752 is stored in the storage 460 and used forenforcing security policies.

The management plane 420, among other things, includes a web managementinterface (WMI) that can be used to configure and populate the bypasslists, the supplemental bypass lists, and the policies. The deployer 430provides devices 102 and 302 with the appropriate ERC 104 (e.g., VPN ondemand or agent) for configuration. The deployer 430 is also beresponsible for providing the bypass lists, the supplemental bypasslists, and the policies to the ERC 104 and the OPERP 204, including anyupdates to the bypass lists, the supplemental bypass lists, and thepolicies. In implementations, deployer 430 is responsive to themanagement plane 420.

FIG. 7 illustrates a block diagram of example sub-modules 700 of thestorage 460. Storage 460 stores, among other things, a bypass list(s)702, a supplemental bypass list(s) 712, user identities 722, endpointrouting clients (ERCs) 732, policies 742, metadata 752, and domainwhitelist(s) 762.

Data plane 410 and storage 460 can include one or more computers andcomputer systems coupled in communication with one another. They canalso be one or more virtual computing and/or storage resources. Forexample, data plane 410 may be one or more Amazon EC2™ instances andstorage 460 may be an Amazon S3™ storage. Other computing-as-serviceplatforms such as Force.com™ from Salesforce.com™, Rackspace™, orHeroku™ could be used rather than implementing the NSS 120 on directphysical computers or traditional virtual machines. Additionally, thedata plane 410 may be distributed geographically and/or co-hosted withparticular web services. Similarly, the management plane 420 may bedistributed geographically. The two types of planes may be eitherseparately hosted or co-hosted as well.

Having described the NSS 120, the discussion now turns to the bypasslist(s) and the supplemental bypass list(s).

Bypass List(s) and Supplemental Bypass List(s)

The bypass list(s) and the supplemental bypass list(s) can be stored—atthe ERC 104 as bypass list(s) 502 and supplemental bypass list(s) 512,at the OPERP 204 as bypass list(s) 602 and supplemental bypass list(s)612, and at the NSS 120 as bypass list(s) 702 and supplemental bypasslist(s) 712. In implementations, the bypass list(s) and the supplementalbypass list(s) are configured on a per-tenant basis. Portions of thisapplication collectively refer to the bypass list(s) 502 andsupplemental bypass list(s) 512 at the ERC 104 as client-side bypasslist(s). Also, portions of this application collectively refer to thebypass list(s) 602 and supplemental bypass list(s) 612 at the OPERP 204and the bypass list(s) 702 and supplemental bypass list(s) 712 at theNSS 120 as server-side bypass list(s).

The bypass list(s) and the supplemental bypass list(s) identifybandwidth conservable destination identifiers that are not subject torouting through the data plane 410. In implementations, they identifybandwidth conservable destination identifiers that are not subject torouting through the DILPA 414. In implementations, they identifybandwidth conservable destination identifiers for which inspectionbandwidth of the DILPA 414 can be conserved by bypassing the DILPA 414.In one implementation, the bandwidth conservable destination identifiersidentify rich content sources that have high latency requirements butlow DLP value (e.g., Netflix™, YouTube™, Pandora™, Spotify™, CiscoWebEx™)

A sample set of bandwidth conservable destination identifiers accordingto one implementation includes the following:

Destination identifiers Example(s) Domain names www.youtube.comSubdomain names uk.youtube.com Unified resource locators (URLs)www.youtube.com/user/CNN Content types video, application, audio, image,multipart, and text Content sub-types application/json, text/html WebCategories streaming media, recreational videos, social media, Internetradio and TV, Internet telephony, peer-to-peer file sharing, educationalvideos, profanity, business and economy, banking, finance,advertisements, applica- tion and software download, instant messaging,message boards and forums, online brokerage and trading, pay-to-surf,personal network storage and backup, surveillance, and viral videos.Server names (e.g. server name www.youtube1.com indications (SNIs), HOSTheaders) System services operating system (OS) updates, security pathupdates, push notifications Certificate pinned applicationsdropboxnative.com (Dropbox ™ native application), Microsoft Outlook ™,AirWatch ™, Barclays mobile banking app ™, Twitter ™, WhatsApp ™ Networklocation profiles Home, public, and work Source countries India SourceInternet Protocol (IP) address 2. 3. 6. 7 and/or ranges and/or subnetsfor the 4. 5. 6. 8-4. 5. 6. 19 source IP address 10. 0. 0. 0/8Destination IP address and/or ranges 8. 4. 8. 1 and/or subnets for thedestination IP 2. 9. 6. 5-8. 2. 1. 28 address 11. 1. 0. 0/6

In some implementations, the above sample set of bandwidth conservabledestination identifiers are identified in so-called “performance bypasslist(s)” and “performance supplemental bypass list(s)” that improve theperformance of NSS 120 by reducing latency in security enforcement bythe NSS 120.

The following JSON code shows one implementation of the bypass list(s)or the supplemental bypass list(s):

GET https://<addon_host>/config/getbypasslist returns JSON: {  “names”:[“my.company.com”, “*.portal.com”],  “ips”: [ {“type”: “ip”,“value”:“2.3.6.7”}, {“type”: “range”, “value”:“4.5.6.8-4.5.6.19”}{“type”: “subnet” “10.0.0.0/8”} ] }

The above JSON code identifies five example bandwidth conservabledestination identifiers: (1) URL-based identifier (my.company.com), (2)domain name-based identifier (*.portal.com), (3) IP address-basedidentifier (2.3.6.7), (4) IP range-based identifier (4.5.6.8-4.5.6.19),and (5) IP-subnet identifier (10.0.0.0/8). The JSON code can begenerated in response to an administrative user identifying values forthe bandwidth conservable destination identifiers via a web managementinterface (WMI) of the management plane 420. Once generated, the JSONcode can be stored at the storage 460 and/or deployed to the ERC 104 andthe OPERP 204 by the deployer 430. In implementations, the differentbandwidth conservable destination identifiers can be stored inrespective tables, objects, or databases (e.g., web_info.web_categoriesdatabase, core_data.country_codes database, network location objectprofile of a collection of IP addresses). The bypass list(s) and thesupplemental bypass list(s) can be stored in a tenant.bypass_settingsdatabase, an exception list table, or a tenant.bypass_settings table.

The bypass list(s) and the supplemental bypass list(s) also identifybandwidth conservable protocols that are not subject to routing throughthe DILPA 414 when invoked on Hypertext Transfer Protocol (HTTP) andHypertext Transfer Protocol Secure (HTTPS) channels. A sample set ofbandwidth conservable protocols and corresponding examples according toone implementation includes the following:

Protocols Protocol Example(s) Channel Invoked Non-HTTP Skype protocol ™HTTP (port 80) Non-HTTPS Skype protocol ™ HTTPS (port 443) Non-HTTPFTPS, SMTPS HTTPS (port 443) Certificate pinned dropboxnative.com(Dropbox ™ HTTPS (port 443) applications native application), MicrosoftOutlook ™, AirWatch ™, Barclays mobile banking app ™, Twitter ™,WhatsApp ™ Server name-lacking Python script HTTPS (port 443) Badcertificate Untrusted root, incomplete HTTPS (port 443) chain,unsupported cipher

In some implementations, the above sample set of bandwidth conservableprotocols are identified in so-called “error bypass list(s)” and “errorsupplemental bypass list(s)” that reduce error in security enforcementby the NSS 120. An administrative user can identify values for bandwidthconservable protocols via a web management interface (WMI) of themanagement plane 420. Once identified, the bandwidth conservableprotocol values can be stored at the storage 460 and/or deployed to theOPERP 204 by the deployer 430.

Having described the bypass list(s) and the supplemental bypass list(s),the discussion now turns to the parser and the classifier.

Parser and Classifier

Parsers and classifiers can be stored—at the ERC 104 as parser 542 andclassifier 552, at the OPERP 204 as parser 642 and classifier 652, andat the NSS 120 as parser 440 and classifier 450. When a connectionaccess request (CAR) is received, it is subjected to analysis by theparsers. Parsers apply feature extraction on the CARs to identifydifferent destination identifiers included in the CARs. One example offeature extraction includes identifying lexical characteristics ofstrings and substrings of a URL by traversing the address structure anddata elements contained in the URL. Another example of featureextraction includes using domain name system (DNS) resolution toidentify IP addresses, host names, and other destination identifiersassociated with a URL. Examples of destination identifiers outputted orextracted by the parsers include domain names, subdomain names, URLs,server names (e.g. server name indications (SNIs), HOST headers), sourcecountries, source IP address, and destination IP address.

Classifiers compare the strings and substrings associated with theextracted destination identifiers to entries in the bypass list(s)and/or the supplemental bypass list(s). Classifiers can use differentsimilarity measures to determine whether an extracted connectionidentifier is present in the bypass list(s) and/or the supplementalbypass list(s). Some examples of similarity measures used by theclassifiers include Jaccard similarity, Euclidean distance, Cosinesimilarity, Levenshtein distance, Tanimoto coefficient, Dicecoefficient, Hamming distance, Needleman-Wunch distance or SellersAlgorithm, Smith-Waterman distance, Gotoh Distance orSmith-Waterman-Gotoh distance, Block distance or L1 distance or Cityblock distance, Monge Elkan distance, Jaro distance metric Jaro Winkler,SoundEx distance metric, Matching Coefficient, Dice Coefficient, OverlapCoefficient, Variational distance, Hellinger distance or Bhattacharyyadistance, Information Radius (Jensen-Shannon divergence) Harmonic Mean,Skew divergence, Confusion Probability, Tau, Fellegi and Sunters (SFS)metric, FastA, BlastP, Maximal matches, q-gram, Ukkonen Algorithms, editdistance technique, and Soergel distance.

If an extracted connection identifier is not present in the bypasslist(s) and/or the supplemental bypass list(s), then the classifiersclassify the associated or corresponding connection access request as a“loss prevention inspectable connection access request”. If an extractedconnection identifier is present in the bypass list(s) and/or thesupplemental bypass list(s), then the classifiers classify theassociated or corresponding connection access request as an “bandwidthconservable connection access request”.

Having described the parser and the classifier, the discussion now turnsto the ERC 104.

Endpoint Routing Client (ERC)

ERC 104 tunnels loss prevention inspectable connection access requeststo the NSS 120 over a secure encrypted channel 118. In contrast, the ERC104 routes bandwidth conservable connection access requests to webservices 150.

FIG. 5 shows a block diagram of example ERC modules 500. A bypasslist(s) 502, a supplemental bypass list(s) 512, a user identity 522, apolicy 532, a parser 542, a classifier 552, and a domain whitelist(s)562 can be provided, either embedded into the ERC 104 or as standaloneitems. Regarding ERC 104, depending on the type of device, it can be avirtual private network (VPN) such as VPN on demand or per-app-VPN thatuse certificate-based authentication. For example, for iOS™ devices, itcan be a per-app-VPN or can be a set of domain-based VPN profiles. ForAndroid™ devices, it can be a cloud director mobile app. For Windows™devices, it can be a per-app-VPN or can be a set of domain-based VPNprofiles. ERC 104 can also be an agent that is downloaded using e-mailor silently installed using mass deployment tools like ConfigMgr™,Altris™, and Jamf™.

User identity or user identification (e.g., user identities 522, 622,and 722), in the context of this specification refers to an indicatorthat is provided by the NSS 120 to the devices 102, 202 a-202 n, and302. It may be in the form of a token, a unique identifier such as auniversally unique identifier (UUID), a public-key certificate, or thelike. In some implementations, the user identity may be linked to aspecific user and a specific device; thus, the same individual may havea different user identity on their mobile phone vs. their computer. Theuser identity may be linked to an entry or userID corporate identitydirectory, but is distinct from it. In one implementation, acryptographic certificate signed by the network security is used as theuser identity. In other implementations, the user identity may be solelyunique to the user and be identical across devices.

Policies (e.g., policies 532, 632, and 742) can be a machine-readablerepresentation of flow control and logging requirements for webservices. Typically, a policy is defined by one or more administratorsat a corporation, or other entity, and is enforced upon users withinthat corporation, or entity. It is possible for individuals to definepolicies for their own usage that are enforced upon them; however,corporate usage is the more common case. It is also possible for apolicy to be enforced on visitors or customers of a web service, e.g.,where a corporation hosts a service and requires visiting customers toadhere to the policy for use. Of particular note is that the policiesconsidered herein are capable of being sensitive to the semantics of aweb service, which is to say a policy can differentiate between loggingin to a web service from, say, editing documents on the web service.Context is important for understanding usage; for an entity, thecollection of dozens or hundreds of individual policies (e.g., log bulkdownloads, prohibit editing documents on the service, only allow bulkdownloads for users who are in the “Vice President” group) is referredto singularly as one policy, or one policy definition. Thus, a systemsupporting multiple entities will generally have one policy per entity,each made up of dozens or hundreds of individual flow control andlogging policies. Similarly, the policy that is transferred toindividual computers may be a subset of a full corporate policy, e.g.,solely a machine-readable representation of the URLs of interest, asopposed to the full policy specification for each URL describing theflow control and/or logging behaviors.

A sample set of policies according to one implementation includes thefollowing:

-   -   Block the upload of personally-identifiable information to cloud        storage services with a CCI score of “medium” or below.    -   Don't let users share content in cloud storage services rated        medium or low or poor. In another implementation, web services        rated medium or below can be considered non enterprise-ready and        risky.    -   Allow users in sales to share any public collateral while        preventing them from downloading content deemed confidential        from a cloud storage service to an unmanaged system.    -   Alert IT if any user in investor relations shares content from a        finance/accounting service with someone outside of the        organization.    -   Block any user located outside of the U.S. from downloading        contacts from any CRM service.    -   Only allow data uploads to services that have a CCI score of        medium or above, and block uploads to the rest.    -   Encrypt all content matching my confidential DLP profile in web        services.    -   Block download of any .exe file from a cloud storage service.    -   Alert on the download of PII from any HR web service to a mobile        device.

Having described the ERC 104, the discussion now turns to the OPERP 204.

On-Premise Endpoint Routing Proxy (OPERP)

OPERP 204 tunnels loss prevention inspectable connection access requeststo the NSS 120 over a secure encrypted channel 118. In contrast, theOPERP 204 routes bandwidth conservable connection access requests to webservices 150.

FIG. 6 shows a block diagram of example OPERP modules 600. A bypasslist(s) 602, a supplemental bypass list(s) 612, user identities 622, apolicy 632, a parser 642, and a classifier 652 can be provided, eitherembedded into the OPERP 204 or as standalone items. Web trafficemanating from the on-premise devices 202 a-202 n of organizationnetwork(s) 113 is steered to the OPERP 204. In implementations,on-premise devices 202 a-202 n are not configured with ERC 104. OPERP204 can take the form of a network security hardware appliance such asNetskope's Secure Cloud N1000™ and Secure Cloud N5000™.

Having described the OPERP 204, the discussion now turns to messagesequence charts of FIGS. 9-18 which illustrate various aspects of thetechnology disclosed.

Message Sequence Charts

In the message sequence charts shown in FIGS. 9-18, multiple exchangescan be combined in some implementations. Other implementations mayperform the exchanges in different orders and/or with different, feweror additional exchanges than the ones illustrated in FIGS. 9-18. Inimplementations, all or some of the exchanges of FIGS. 9-18 (e.g.,bypass exchanges and/or block exchanges) are logged. For convenience,the sequence charts are described with reference to the system thatcarries out a method. The system is not necessarily part of the method.

Performance-Based Bypass

FIG. 9 illustrates a message sequence chart 900 of reducing latency insecurity enforcement by NSS 120 using ERC 104 configured with aclient-side bypass list. FIG. 9 shows communication paths between ERC104, deployer 430, storage 460, proxy gateway 404, data plane 410, andweb services (WSs) 150. In other implementations, in place of ERC 104,FIG. 9 can include OPERP 204 configured with a server-side bypass list.In yet other implementations, proxy gateway 404 can be replaced by GREand/or IPSec gateway 406.

At exchange 1, ERC 104 requests the deployer 430 for bypass list(s). ERC104 runs on the same device (e.g., device 102 or device 302) from whichthe CAR originated. At exchange 2, deployer 430 forwards that request tostorage 460. At exchange 3, storage 460 returns the bypass list(s) tothe deployer 430, which in turn forwards the bypass list(s) to ERC 104at exchange 4.

At exchange 5, ERC 104 receives a connection access request (CAR). Atexchange 6, parser 542 and classifier 552 of the ERC 104 operate on theCAR and classify it as either “loss prevention inspectable (LPI)” or“bandwidth conservable (BC)” based on comparison against entries in thebypass list(s), as discussed above. If the CAR is classified as lossprevention inspectable, then, at exchange 7a, ERC 104 tunnels it to dataplane 410 over the secure encrypted channel 118. Typically, tunnelingthe CAR involves forwarding it to proxy gateway 404, which in turnsteers the CAR to the data plane 410 at exchange 8.

After receiving the CAR, at exchange 9, data plane 410 applies one ormore policies to the CAR. Based on the policy application, the CAR iseither blocked at exchange 10A or forwarded to a destination web serveridentified by the CAR at one of the web services 150. If the CAR is sentto the destination web server at exchange 10b, data plane 410 receives aresponse from the destination web service at exchange 11. Data plane 410subjects this response to policy enforcement at exchange 12 and either,at exchange 13a, prevents the response from being sent to the devicefrom which the CAR originated or, at exchange 13b, relays the responseto the device. Typically, relaying the response involves forwarding itto proxy gateway 404, which in turn steers the response to the device atexchange 14 over the secure encrypted channel 118.

In contrast, if the CAR is classified as bandwidth conservable, then, atexchange 7b, it is sent directly to the destination web server,bypassing inspection by the data plane 410. The bandwidth conservableclassification can result because the CAR contains a bandwidthconservable domain name, a bandwidth conservable subdomain name, and/ora bandwidth conservable server name (e.g., server name indication (SNI),HOST header). The bandwidth conservable classification can also resultbecause the CAR belongs to a bandwidth conservable web category. Thebandwidth conservable classification can also result because the CAR wasinitiated by a certificate pinned application like Dropbox™ nativeapplication, Microsoft Outlook™, AirWatch™, Barclays mobile bankingapp™, Twitter™, and WhatsApp™. The bandwidth conservable classificationcan also result because the CAR was triggered by a system service likeoperating system (OS) updates, security path updates, and pushnotifications. The bandwidth conservable classification can also resultbecause the CAR resolves to a bandwidth conservable network locationprofile, a bandwidth conservable source country code, a bandwidthconservable source IP address, a bandwidth conservable source IP addressrange, a bandwidth conservable source IP address subset, a bandwidthconservable destination IP address, a bandwidth conservable destinationIP address range, and/or a bandwidth conservable destination IP addresssubset.

Furthermore, a response sent by the destination web server to the CAR atexchange 15 is not subjected to inspection by the data plane 410 and isdirectly sent to the device running the ERC 104.

Having described performance-based bypass, the discussion now turns toserver name-based bypass.

Server Name-Based Bypass

FIGS. 10A and 10B depict a message sequence chart 1000A and 1000B ofbypassing inspection of further incoming connection access requestscontaining a server name (e.g., server name indication (SNI), HOSTheader) that has been previously classified as bandwidth conservable.FIGS. 10A and 10B show communication paths between ERC 104, proxygateway 404, GRE and/or IPSec gateway 406, storage 460, SSL decrypted412, DILPA 414, and web services (WSs) 150. In other implementations, inplace of ERC 104, FIGS. 10A and 10B can include OPERP 204 configuredwith a server-side bypass list. In yet other implementations, proxygateway 404 and GRE and/or IPSec gateway 406 can be usedinterchangeably.

Regarding SNI, SNI is a cleartext field of the SSL/TLS handshake thatspecifies a hostname of the destination web service server to identifythe accessed websites. SNI is a clear string value from ClientHellomessages that provides a convenient way to know which web service isaccessed by a new connection. SNI is an SSL function that allows passingthe desired web service server hostname in the initial SSL handshakemessage, so that the web service server can select the correct virtualhost configuration to use in processing the SSL handshake. As usedherein, the meaning of server name indication (SNI) conforms in relevantrespects to its definition in the RFC 3546 standard published by theInternet Engineering Task Force (IETF) in June, 2003 and the RFC 6066standard published by the IETF in January, 2011, including any otherversion updates of the RFC 3546 and RFC 6066 standards (S. Blake-Wilson,M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright, “RFC 3546:Transport layer security (TLS) extensions,” 2003. [Online]. Available:https://www.ietforg/rfc/rfc3546.txt; D. Eastlake, “RFC 6066: Thetransport layer security (TLS) extensions: Extension definitions,” 2011.[Online]. Available: http://tools.ietf.org/html/rfc6066, both of whichare incorporated by reference herein).

At exchange 1, ERC 104 receives a connection access request (CAR). ERC104 runs on the same device (e.g., device 102 or device 302) from whichthe CAR originated. At exchange 2, parser 542 and classifier 552 of theERC 104 operate on the CAR and classify it as “loss preventioninspectable (LPI)”. As a result, at exchange 3, ERC 104 tunnels the lossprevention inspectable CAR to proxy gateway 404. Proxy gateway 404, atexchange 4, steers the loss prevention inspectable CAR to DILPA 414 viadecrypter 412. Decrypter 412 performs stream inspection on the lossprevention inspectable CAR.

At exchange 5, DILPA 414 uses deep inspection to apply one or morepolicies on the loss prevention inspectable CAR. At exchange 6, DILPA414 forwards the loss prevention inspectable CAR to a destination webserver identified by the loss prevention inspectable CAR at one of theweb services 150.

At exchange 7, the destination web server sends a response to the lossprevention inspectable CAR. The response comprises data packets that areintercepted by the decrypter 412. At exchange 8, decrypter 412 performsstream inspection on the data packets and detects a first HOST headerwhich identifies a first server name (e.g., server name indication(SNI), HOST header) associated with the destination web server.

Based on the evaluation of the first HOST header during streaminspection, at exchange 9, decrypter 412 determines whether the datapackets belong to a bandwidth conservable (BC) content type. Examples ofbandwidth conservable content types include video, application, audio,and image. In other implementations, stream inspection reveals whetherthe data packets belong to a bandwidth conservable content sub-type. Oneexample of a bandwidth conservable content sub-type is application/json. If the data packets belong to a bandwidth conservable content typeand/or a bandwidth conservable content sub-type, then the first HOSTheader or the first server name (e.g., server name indication (SNI),HOST header), is stored as a “bandwidth conservable (BC) HOST header” ora “bandwidth conservable (BC) server name (e.g., server name indication(SNI), HOST header)” in storage 460. The storage can be made as anupdate to a bypass list(s) or as an update to a supplemental bypasslist(s).

At exchange 10, DILPA 414 applies deep inspection on the data packets.At exchange 11, after deep inspection, DILPA 414 relays the data packetsto the device running the ERC 104.

At exchange 12, ERC 104 receives a further incoming connection accessrequest (CAR). At exchange 13, parser 542 and classifier 552 of the ERC104 operate on the further incoming CAR and misclassify it as “lossprevention inspectable (LPI)”. The misclassification can result from theclient-side bypass list(s) not having an entry for the further incomingCAR or from the further incoming CAR being encoded in a loss preventioninspectable connection identifier. Being unware of the bandwidthconservable (BC) nature of the further incoming CAR, at exchange 14, ERC104 attempts to tunnel it to the data plane 410 via the GRE and/or IPSecgateway 406. GRE and/or IPSec gateway 406, at exchange 15, extracts aserver name (e.g., server name indication (SNI), HOST header) containedin the further incoming CAR and looks up its classification in thestorage 460. In the case where the extracted server name (e.g., servername indication (SNI), HOST header) matches the first SNI which has beenpreviously classified as a bandwidth conservable (BC) server name (e.g.,server name indication (SNI), HOST header), storage 460 returns abandwidth conservable (BC) classification for the further incoming CARat exchange 16.

At exchange 17, the bandwidth conservable further incoming CAR is sentdirectly to the destination web server, bypassing inspection by the dataplane 410. Furthermore, a response sent by the destination web server tothe bandwidth conservable further incoming CAR at exchange 18 is notsubjected to inspection by the data plane 410 and is directly sent tothe device running the ERC 104.

Having described server name-based bypass, the discussion now turns tointernal bypassing.

Internal Bypassing

FIG. 11A shows a message sequence chart 1100A of internally bypassingdeep inspection of web network responses containing bandwidthconservable content. FIGS. 11A, 11B, and 11C show communication pathsbetween ERC 104, proxy gateway 404, storage 460, SSL decrypted 412,DILPA 414, and web services (WSs) 150. In other implementations, inplace of ERC 104, FIGS. 11A, 11B, and 11C can include OPERP 204configured with a server-side bypass list. In yet other implementations,proxy gateway 404 can be replaced by GRE and/or IPSec gateway 406.

At exchange 1, ERC 104 receives a connection access request (CAR). ERC104 runs on the same device (e.g., device 102 or device 302) from whichthe CAR originated. At exchange 2, parser 542 and classifier 552 of theERC 104 operate on the CAR and classify it as “loss preventioninspectable (LPI)”. As a result, at exchange 3, ERC 104 tunnels the lossprevention inspectable CAR to proxy gateway 404. Proxy gateway 404, atexchange 4, steers the loss prevention inspectable CAR to DILPA 414 viadecrypter 412. Decrypter 412 performs stream inspection on the lossprevention inspectable CAR.

At exchange 5, DILPA 414 uses deep inspection to apply one or morepolicies on the loss prevention inspectable CAR. At exchange 6, DILPA414 forwards the loss prevention inspectable CAR to a destination webserver identified by the loss prevention inspectable CAR at one of theweb services 150.

At exchange 7, the destination web server sends a response to the lossprevention inspectable CAR. The response comprises data packets that areintercepted by the decrypter 412. At exchange 8, decrypter 412 performsstream inspection on the data packets and determines whether the datapackets belong to a bandwidth conservable (BC) content type by lookingup a classification of the packet headers in the data packets. Examplesof bandwidth conservable content types include video, application,audio, and image. In other implementations, stream inspection revealswhether the data packets belong to a bandwidth conservable contentsub-type. One example of a bandwidth conservable content sub-type isapplication/j son.

If the data packets belong to a bandwidth conservable content typeand/or a bandwidth conservable content sub-type, then the data packetsare not subjected to deep inspection by the DILPA 414 and are directlysent by the decrypter 412 to the device running the ERC 104 at messaged9. This is referred to as “internal bypassing”.

FIG. 11B illustrates a message sequence chart 1100B of internallybypassing deep inspection of a further incoming connection accessrequest that has been previously classified as bandwidth conservable(BC) in a server-side supplemental bypass list.

Following the internal bypassing at exchange 9 in FIG. 11A, decrypter412 generates a bandwidth conservable (BC) classification for the CAR atexchange 10. Decrypter 412 then stores the bandwidth conservableclassification in storage 460 at exchange 11. The storage at exchange 11can be made as an update to a bypass list(s) or as an update to asupplemental bypass list(s). The following code shows an example APIcall made to a PROVISIONER_SERVICE API to update the bypass list(s)and/or the supplemental bypass list(s):

-   -   PROVISIONER_SERVICE. “update/exceptionlist/”.$tenantID;

The above API call can also pass an attribute “type” that indicateswhich bandwidth conservable connection identifier is modified. Someexamples of attribute “type” are {src_netloc, dst_netloc, category,country, domain}.

At exchange 12, ERC 104 receives a further incoming connection accessrequest (CAR). In response, parser 542 and classifier 552 of the ERC 104operate on the further incoming CAR and misclassify it as “lossprevention inspectable (LPI)”. The misclassification can result from theclient-side bypass list(s) not having an entry for the further incomingCAR or from the further incoming CAR being encoded in a loss preventioninspectable connection identifier. Being unware of the bandwidthconservable nature of the further incoming CAR, at exchange 12, ERC 104attempts to tunnel it to the DILPA 414 via the proxy gateway 404. Proxygateway 404, at exchange 13, steers the misclassified loss preventioninspectable CAR to decrypter 412.

At exchange 14, decrypter 412 performs stream inspection on themisclassified loss prevention inspectable CAR and looks up itsclassification in the storage 460. At exchange 15, if the storage 460returns a bandwidth conservable classification for the further incomingCAR, then the further incoming CAR is not subjected to deep inspectionby the DILPA 414. Instead, at exchange 16, the further incoming CAR isdirectly sent by the Decrypter 412 to a destination web serveridentified by the further incoming CAR at one of the web services 150.Furthermore, a response sent by the destination web server to thefurther incoming CAR is not subjected to deep inspection by the DILPA414 and is directly sent to the device running the ERC 104. This is alsoreferred to as “internal bypassing”.

Having described internal bypassing, the discussion now turns to dynamicdeployment.

Dynamic Deployment

FIG. 11C shows a message sequence chart 1100C of bypassing inspection ofa further incoming connection access request that has been previouslyclassified as bandwidth conservable in a client-side supplemental bypasslist.

Following the internal bypassing at exchange 9 in FIG. 11A, decrypter412 generates a bandwidth conservable classification for the CAR atexchange 10. Decrypter 412 then sends the bandwidth conservableclassification to the ERC 104 at exchange 11. The bandwidth conservableclassification can be sent as an update to a client-side bypass list(s)or as an update to a client-side supplemental bypass list(s). Exchange11, i.e., deployment of the bandwidth conservable classification to theERC 104 can occur in real-time, immediately following the internalbypassing at exchange 9 in FIG. 11A, or can be scheduled to occur alater time as part of a periodic update scheme.

At exchange 12, ERC 104 receives further incoming connection accessrequests (CARs). At exchange 13, parser 542 and classifier 552 of theERC 104 operate on the further incoming CARs and classify them as either“loss prevention inspectable (LPI)” or “bandwidth conservable (BC)”based on comparison against entries in the updated client-side bypasslist(s) and/or updated client-side supplemental bypass list(s).

If the further incoming CARs are classified as bandwidth conservable(BC) by the ERC 104, then, at exchange 14, they are sent directly torespective destination web servers identified by the further incomingCARs at the web services 150, bypassing inspection by the data plane410. Furthermore, responses sent by the respective destination webservers to the further incoming CARs are not subjected to inspection bythe data plane 410 and are directly sent to the device running the ERC104.

Having described dynamic deployment, the discussion now turns toerror-based bypass.

Error-Based Bypass

Error-based bypass reduces error in security enforcement by the NSS 120.In some implementations, error-based bypass occurs at the NSS 120. Inother implementations, it occurs at the OPERP 204. The NSS 120 monitorsnetwork traffic over standard HTTP and HTTPs ports like port 80 and port443. Typically, the NSS 120 is set up to handle only HTTP and HTTPStraffic and generates an error when it receives non-HTTP and non-HTTPStraffic.

The NSS 120 decrypts an incoming connection access request anddetermines conformance or non-conformance of the connection accessrequest with semantic and content requirements of a protocol establishedfor the monitored channel. The decryption can be performed by thedecrypter 412, which could be an HTTP-based decrypter or HTTPS-baseddecrypter (e.g., SSL or TLS decrypter). Based on the determination, theNSS classifies the connection access request as “loss preventioninspectable” or “connection preserving”.

The semantic and content requirements apply to request methods, requestheader fields, request payload metadata, and request payload bodycontent of the protocol established for the monitored channel. Thesemantic and content requirements can be loaded onto an error bypasslist and made available to the NSS 120. Additional information about thesemantic and content requirements can be found in Wikipediacontributors, ‘List of HTTP header fields’, Wikipedia, The FreeEncyclopedia, 17 Apr. 2018, 09:04 UTC,<https://en.wikipedia.org/w/index.php?title=List_of_HTTP_header_fields&oldid=836864202>[accessed 19 Apr. 2018]; Wikipedia contributors, ‘HTTPS’, Wikipedia, TheFree Encyclopedia, 17 Apr. 2018, 03:27 UTC,<https://en.wikipedia.org/w/index.php?title=HTTPS&oldid=836835625>[accessed 19 Apr. 2018]; Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Semantics and Content’. R. Fielding, Ed.,J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7231.pdf>[accessed 19 Apr. 2018]; and Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Message Syntax and Routing’. R. Fielding,Ed., J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7230.pdf>[accessed 19 Apr. 2018], which are incorporated by reference herein intheir entirety.

In some implementations, semantic and content based comparison involveskeyword matching, pattern matching, string or substring matching, exactmatching, and regular expression matching. That is, the header andpayload of a request or response can be compared that of a standard HTTPor HTTPS header and payload of a request or response on a semantic andcontent basis to determine conformance or non-conformance with HTTP orHTTPS protocol.

FIGS. 12, 13, 14, 15, 16A, 16B, and 17 show communication paths betweenERC 104, GRE and/or IPSec gateway 406, storage 460, SSL decrypted 412,DILPA 414, data plane 410, and web services (WSs) 150. In otherimplementations, in place of ERC 104, FIGS. 12, 13, 14, 15, 16A, 16B,and 17 can include OPERP 204 configured with a server-side bypass list.In yet other implementations, GRE and/or IPSec gateway 406 can bereplaced by proxy gateway 404.

FIG. 12 is a message sequence chart 1200 of internally bypassing deepinspection of a connection access request that invokes a non-HTTPprotocol on a HTTP channel. At exchange 1, ERC 104 tunnels a connectionaccess request (CAR) to the decrypter 412 over a HTTP channel such asport 80. ERC 104 runs on the same device (e.g., device 102 or device302) from which the CAR originated. At exchange 2, decrypter 412performs stream inspection on the CAR, which includes parsing packetheaders of data packets included in the CAR. Stream inspection revealswhether the data packets belong to a “loss prevention inspectable”protocol or a “connection preserving” protocol. One example of a lossprevention inspectable protocol is HTTP protocol. One example of aconnection preserving protocol is non-HTTP protocol such as SkypeProtocol™. If the data packets belong to a loss prevention inspectableprotocol, the CAR is classified as a loss prevention inspectable CAR. Ifthe data packets belong to a connection preserving protocol, the CAR isclassified as a connection preserving CAR.

At exchange 3a, the connection preserving CAR is not subjected to deepinspection by the DILPA 414. As result, the connection is maintained andnot terminated/closed and no error is generated. Instead, the connectionpreserving CAR is directly sent by the decrypter 412 to a destinationweb server identified by the connection preserving CAR at one of the webservices 150. Furthermore, a response sent by the destination web serverto the connection preserving CAR at exchange 4 is not subjected to deepinspection by the DILPA 414 and is directly sent to the device runningthe ERC 104. This is also referred to as “internal bypassing”.

At exchange 3b, the loss prevention inspectable CAR is sent to the DILPA414 for deep inspection.

In other implementations, instead of being bypassed, the loss preventioninspectable CAR is blocked and logged.

FIG. 13 depicts a message sequence chart 1300 of internally bypassingdeep inspection of a connection access request that invokes a non-HTTPSprotocol on a HTTPS channel. At exchange 1, ERC 104 tunnels a connectionaccess request (CAR) to the decrypter 412 over a HTTPS channel such asport 443. ERC 104 runs on the same device (e.g., device 102 or device302) from which the CAR originated. At exchange 2, decrypter 412performs stream inspection on the CAR, which includes parsing packetheaders of data packets included in the CAR. Stream inspection revealswhether the data packets belong to a “loss prevention inspectable”protocol or a “connection preserving” protocol. One example of a lossprevention inspectable protocol is HTTPS protocol. One example of aconnection preserving protocol is non-HTTPS protocol such as SkypeProtocol™. If the data packets belong to a loss prevention inspectableprotocol, the CAR is classified as a loss prevention inspectable CAR. Ifthe data packets belong to a connection preserving protocol, the CAR isclassified as a connection preserving CAR.

At exchange 3a, the connection preserving CAR is not subjected to deepinspection by the DILPA 414. As result, the connection is maintained andnot terminated/closed and no error is generated. Instead, the connectionpreserving CAR is directly sent by the decrypter 412 to a destinationweb server identified by the connection preserving CAR at one of the webservices 150. Furthermore, a response sent by the destination web serverto the connection preserving CAR at exchange 4 is not subjected to deepinspection by the DILPA 414 and is directly sent to the device runningthe ERC 104. This is also referred to as “internal bypassing”.

At exchange 3b, the loss prevention inspectable CAR is sent to the DILPA414 for deep inspection.

In other implementations, instead of being bypassed, the loss preventioninspectable CAR is blocked and logged.

FIG. 14 shows a message sequence chart 1400 of internally bypassing deepinspection of a connection access request that invokes a non-HTTPprotocol on a HTTPS channel. At exchange 1, ERC 104 tunnels a connectionaccess request (CAR) to the decrypter 412 over a HTTPS channel such asport 443. ERC 104 runs on the same device (e.g., device 102 or device302) from which the CAR originated. At exchange 2, decrypter 412performs stream inspection on the CAR, which includes parsing packetheaders of data packets included in the CAR. stream inspection revealswhether the data packets belong to a “loss prevention inspectable”protocol or a “connection preserving” protocol. Examples of lossprevention inspectable protocols are HTTP protocol and HTTPs protocol.Examples of connection preserving protocols are secure non-HTTPprotocols such as file transfer protocol secure (FTPS) protocol andsimple mail transfer protocol secure (SMTPS) protocol. If the datapackets belong to a loss prevention inspectable protocol, the CAR isclassified as a loss prevention inspectable CAR. If the data packetsbelong to a connection preserving protocol, the CAR is classified as aconnection preserving CAR.

At exchange 3a, the connection preserving CAR is not subjected to deepinspection by the DILPA 414. As result, the connection is maintained andnot terminated/closed and no error is generated. Instead, the connectionpreserving CAR is directly sent by the decrypter 412 to a destinationweb server identified by the connection preserving CAR at one of the webservices 150. Furthermore, a response sent by the destination web serverto the connection preserving CAR at exchange 4 is not subjected to deepinspection by the DILPA 414 and is directly sent to the device runningthe ERC 104. This is also referred to as “internal bypassing”.

At exchange 3b, the loss prevention inspectable CAR is sent to the DILPA414 for deep inspection.

In other implementations, instead of being bypassed, the loss preventioninspectable CAR is blocked and logged.

In yet other implementations, connection access requests invoked onchannels other than port 80 and/or port 443 are bypassed.

FIG. 15 illustrates a message sequence chart 1500 of bypassinginspection of a connection access request containing a server name(e.g., server name indication (SNI), HOST header) that identifies acertificate pinned application. At exchange 1, over a HTTPS channel suchas port 443, ERC 104 attempts to tunnel a connection access request(CAR) a HTTPS channel such as port 443 to the data plane 410 via the GREand/or IPSec gateway 406. ERC 104 runs on the same device (e.g., device102 or device 302) from which the CAR originated. The CAR includes aserver name (e.g., server name indication (SNI), HOST header) (e.g.,www.youtube1.com).

At exchange 2, GRE and/or IPSec gateway 406 extracts the server name andlooks up its classification in a bypass list(s) stored in the storage460. In the case where the extracted server name (e.g., server nameindication (SNI), HOST header) matches a connection preserving servername (e.g., server name indication (SNI), HOST header) that identifies acertificate pinned application, storage 460 returns a connectionpreserving classification for the CAR at exchange 3. Certificate pinnedapplications are those applications that trust only specificcertificates or public keys, rather than relying on the chain of trustfrom a certificate authority. In implementations, the certificate pinnedapplications referred to herein do not trust a certificate of the NSS120. Examples of certificate pinned applications are Dropbox™ nativeapplication, Microsoft Outlook™, AirWatch™, Barclays mobile bankingapp™, Twitter™, and WhatsApp™.

At exchange 4, the connection preserving CAR is sent directly to adestination web server identified by the connection preserving CAR atone of the web services 150, bypassing inspection by the data plane 410.As result, the connection is maintained and not terminated/closed and noerror is generated. Furthermore, a response sent by the destination webserver to the connection preserving CAR at exchange 5 is not subjectedto inspection by the data plane 410 and is directly sent to the devicerunning the ERC 104.

In other implementations, instead of being bypassed, the connectionpreserving CAR is blocked and logged.

FIG. 16A is a message sequence chart 1600A of bypassing inspection of aconnection access request not containing a server name (e.g., servername indication (SNI), HOST header). At exchange 1, over a HTTPS channelsuch as port 443, ERC 104 attempts to tunnel a connection access request(CAR) to the data plane 410 via the GRE and/or IPSec gateway 406. ERC104 runs on the same device (e.g., device 102 or device 302) from whichthe CAR originated. The CAR does not include a server name (e.g., Pythonscript).

At exchange 2, GRE and/or IPSec gateway 406 detects an absence of aserver name (e.g., server name indication (SNI), HOST header) in the CARand returns a connection preserving classification for the CAR. Theconnection preserving CAR is sent directly to a destination web serveridentified by the connection preserving CAR at one of the web services150, bypassing inspection by the data plane 410. As result, theconnection is maintained and not terminated/closed and no error isgenerated. Furthermore, a response sent by the destination web server tothe connection preserving CAR at exchange 3 is not subjected toinspection by the data plane 410 and is directly sent to the devicerunning the ERC 104.

In other implementations, instead of being bypassed, the connectionpreserving CAR is blocked and logged.

FIG. 16B depicts a message sequence chart 1600B of internally bypassingdeep inspection of a web network response containing a server name(e.g., server name indication (SNI), HOST header) that identifies acertificate pinned application. At exchange 1, over a HTTPS channel suchas port 443, ERC 104 tunnels a connection access request (CAR) to theDILPA 414 via the decrypter 412. ERC 104 runs on the same device (e.g.,device 102 or device 302) from which the CAR originated. The CAR doesnot include a server name (e.g., Python script).

At exchange 2, the decrypter 412, after performing stream inspection onthe CAR, forwards the CAR to DILPA 414 for deep inspection. After deepinspection, at exchange 3, DILPA 414 sends the CAR to a destination webserver identified by the CAR at one of the web services 150.

At exchange 4, the decrypter 412 intercepts a response sent by thedestination web server to the CAR. The response includes a HOST header,which identifies a server name (e.g., server name indication (SNI), HOSTheader) associated with the destination web server. At exchange 5, thedecrypter 412 looks up a classification of the HOST header in a bypasslist(s) stored in the storage 460. In the case where the HOST headermatches a connection preserving server name (e.g., server nameindication (SNI), HOST header) that identifies a certificate pinnedapplication, storage 460 returns a connection preserving classificationfor the response at exchange 6. At exchange 7, the response is notsubjected to deep inspection by the DILPA 414 and is directly sent bythe decrypter 412 to the device running the ERC 104. This is alsoreferred to as “internal bypassing”. As result, the connection ismaintained and not terminated/closed and no error is generated.

In other implementations, instead of being bypassed, the response isblocked and logged.

FIG. 17 illustrates a message sequence chart 1700 of internallybypassing deep inspection of a connection access request containing anerroneous certificate. At exchange 1, over a HTTPS channel such as port443, ERC 104 tunnels a connection access request (CAR) to the DILPA 414via the decrypter 412. ERC 104 runs on the same device (e.g., device 102or device 302) from which the CAR originated. The CAR includes acertificate.

At exchange 2, the decrypter 412 inspects the certificate and detects acertificate error. The certificate error can be caused by an untrustedroot certificate, an incomplete certificate chain, and/or an unsupportedcipher.

At exchange 3, the CAR is not subjected to deep inspection by the DILPA414. As result, the connection is maintained and not terminated/closedand no error is generated. Instead, the CAR is directly sent by thedecrypter 412 to a destination web server identified by the CAR at oneof the web services 150. Furthermore, a response sent by the destinationweb server to the CAR at exchange 4 is not subjected to deep inspectionby the DILPA 414 and is directly sent to the device running the ERC 104.This is also referred to as “internal bypassing”.

In other implementations, instead of being bypassed, the CAR is blockedand logged or dropped in the case of unsupported cipher.

In another implementation, internal deep inspection bypass of aconnection access request (CAR) can occur when the client fails toperform the handshake and thus errors out. In such an implementation,the domain name associated with the CAR can be stored in the storage 460as part of the error bypass list for future bypassing.

Web Category-Based Bypass

FIG. 18 shows a message sequence chart 1800 of reducing latency insecurity enforcement by the NSS 120 using the ERC 104 configured with aclient-side bypass list of bandwidth conservable web categories andbandwidth conservable domain names. FIG. 18 shows communication pathsbetween ERC 104, deployer 430, storage 460, data plane 410, and webservices (WSs) 150. In other implementations, in place of ERC 104, FIG.18 can include OPERP 204 configured with a server-side bypass list. Inyet other implementations, in place of or in addition to domain name(s),FIG. 18 can include IP address(es).

At exchange 1, ERC 104 requests the deployer 430 for bypass list(s). ERC104 runs on the same device (e.g., device 102 or device 302) from whichthe CAR originated. At exchange 2, deployer 430 forwards that request tostorage 460. At exchange 3, storage 460 returns the bypass list(s) tothe deployer 430, which in turn forwards the bypass list(s) to ERC 104at exchange 4. In some implementations, the bypass list(s) includes aweb category bypass list of bandwidth conservable web categories thatare not subject to routing through the data plane 410. In otherimplementations, the bypass list(s) includes a web category bypass listof bandwidth conservable web categories that are not subject to routingthrough the DILPA 414. The web category bypass list further includes adomain bypass list of bandwidth conservable domain names in each of thebandwidth conservable web categories in the web category bypass list.

In some implementations, the bypass list(s), including the web categorybypass list and the domain bypass list, can be configured on atenant-by-tenant basis and populated in a tenant database by anadministrative user via a web management interface (WMI) of themanagement plane 420. In other implementations, a URL classificationservice can be used to classify the domain names into web categories.Some examples of web categories include streaming media, recreationalvideos, social media, Internet radio and TV, Internet telephony,peer-to-peer file sharing, educational videos, profanity, business andeconomy, banking, finance, advertisements, application and softwaredownload, instant messaging, message boards and forums, online brokerageand trading, pay-to-surf, personal network storage and backup,surveillance, and viral videos.

At exchange 5, ERC 104 receives a connection access request (CAR). TheCAR comprises a domain name. At exchange 6, parser 542 and classifier552 of the ERC 104 operate on the CAR and determine whether the domainname is present in the domain bypass list. At exchange 7, when thedomain name is not present in the domain bypass list, ERC 104 queriesthe storage 460 over the secure encrypted channel 118 to return a webcategory for the domain name. The query can be asynchronously sent overan API. At exchange 8, storage 460 returns a web category for the domainname. In implementations, storage 460 can be a tenant-specific database.

The following code shows an example API call that can be made to abypass category provisioner API to receive a web category bypass list ofbandwidth conservable web categories:

GET https://<addon_host>/url/bypasscategory?hashkey=%s&orgkey=%s″returns JSON: { ″bypasscategory″: [″−100″, ″−23″, ″39″] }

In the JSON code above, negative number categories can representstandard defined categories and positive number categories can representcustom defined categories.

At exchange 9, parser 542 and classifier 552 of the ERC 104 operate onthe returned web category and determine whether the returned webcategory is “loss prevention inspectable (LPI)” or “bandwidthconservable (BC)”. If the returned web category is loss preventioninspectable, ERC 104 classifies the domain name as loss preventioninspectable. If the returned web category is bandwidth conservable, ERC104 classifies the domain name as bandwidth conservable. In someimplementations, the classification is accompanied with a time to live(TTL) parameter. When the classification has expired based on the TTLparameter, storage 460 is queried to return a new web category for thedomain name. Based on the new web category, the domain name isreclassified as loss prevention inspectable or bandwidth conservable.

For loss prevention inspectable domain names, at exchange 10a, ERC 104tunnels the comprising CAR to data plane 410 for policy enforcement. Forbandwidth conservable domain names, at exchange 10b, the comprising CARis sent directly to a destination web server identified by thecomprising CAR at one of the web services 150, bypassing inspection bythe data plane 410. Furthermore, a response sent by the destination webserver to the comprising CAR is not subjected to inspection by the dataplane 410 and is directly sent to the device running the ERC 104.

Domain Whitelist-Based Mandatory Inspection

FIG. 19 illustrates a message sequence chart 1900 of mandatoryinspection of a connection access request that overrides a bandwidthconservable categorization of a domain name in the connection accessrequest. The ERC 104 is configured with (1) bandwidth conservable webcategories as part of the web category bypass list and (2) lossprevention inspectable domain names as part of a domain whitelist (e.g.,domain whitelist(s) 562). FIG. 19 shows communication paths between ERC104, deployer 430, storage 460, and data plane 410. In otherimplementations, in place of ERC 104, FIG. 19 can include OPERP 204configured with a server-side domain whitelist. In yet otherimplementations, in place of or in addition to domain name(s), FIG. 19can include IP address(es).

At exchange 1, ERC 104 requests the deployer 430 for the domainwhitelist. ERC 104 runs on the same device (e.g., device 102 or device302) from which the CAR originated. At exchange 2, deployer 430 forwardsthat request to storage 460. At exchange 3, storage 460 returns thedomain whitelist (.g., domain whitelist(s) 762) to the deployer 430,which in turn forwards the domain whitelist to ERC 104 at exchange 4.The domain whitelist identifies one or more loss prevention inspectabledomain names that are subject to inspection by the DILPA 414irrespective of belonging to a bandwidth conservable web category.

At exchange 5, ERC 104 receives a connection access request (CAR). TheCAR comprises a domain name. At exchange 6, parser 542 and classifier552 of the ERC 104 operate on the CAR and determine that the domain nameis present in the domain whitelist but also has a bandwidth conservablecategorization based on the web category bypass list. At exchange 7,atypically, the ERC 104 tunnels the CAR to the DILPA 414 for policyenforcement, overriding the CAR's bandwidth conservable categorization.

Having described the different message sequence charts, the discussionnow turns to examples of security actions triggered by the technologydisclosed.

Security Enforcement

In some implementations, one or more security policies can be enforcedby the network security system (NSS) 120 on the connection accessrequests (CARs). In response to detecting possible exfiltration ofsecurity data or an endpoint infection threat, one or more securityactions can be executed, as defined by the security policies. Someexamples of security actions are blocking a CAR, encryption of contentbeing transmitted by the CAR, quarantining the content being transmittedby the CAR, putting the CAR on hold until further inspection (e.g., byan administrator), seeking user justification for why the user made theCAR, coaching user on the security policies, and prohibiting furtheractivity on the endpoint (e.g., by freezing the endpoint file systemand/or the I/O drivers).

Having described the example security actions, the discussion now turnsto sample data structures used by the technology disclosed.

Sample Data Structures

The following sample data shows an example bypass list(s) stored in aMySQL™ database called tenant.bypass_settings database.

id type data int (11) varchar (20) text 1 src_netloc {“ids”: [1, 2, 3]}2 dst_netloc {“ids”: [1, 2, 3]} 3 category {“ids”: [1, 2, 3]} 4 country{“country_codes”: [‘AD’, ‘AE’, ‘AF’]} 5 domain {“domains”:[“domain1.com”, “domain2.com”, “domain3.com”]} 6 error{“bypass-settings”: {“no-sni”: true, “ssl-pinned”: true, “non-http”:true, “non-ssl”: true, “ssl-untrusted-root”: false, “ssl-incomplete-chain”}

The following sample data shows example web categories stored in aMySQL™ database called web_info.web_categories.

web_category_id web_category_name display int (11) varchar (225)tinyint(1) −4 Advocacy Groups & Trade Associations 1 −3 Adult 1 −2 AdFraud 1 −1 Accounting 1 0 Uncategorized 1

The following sample data shows example country codes stored in a MySQL™database called core_data.country_codes.

country_code country_name three_letters_code varchar (5) varchar (256)varchar (128) AD Andorra AND AE United Arab Emirates ARE AF AfghanistanAFG AG Antigua and Barbuda ATG AI Anguilla AIA

Having described the sample data structures, the discussion now turns tothe sample metadata structures logged and visualized by the technologydisclosed on a CAR-by-CAR basis.

Sample Metadata Structures

The technology disclosed logs metadata information 2000 about connectionaccess requests (CARs), regardless of whether they are loss preventioninspectable (LPI) or bandwidth conservable (BC). In someimplementations, only those CARs are logged “in detail” that trigger asecurity action. However, most implementations including logging CARsthat are bandwidth conservable and thus bypassed. Some examples ofmetadata logged for a CAR are shown in FIG. 20 and include userinformation 2002, application information 2004, source information 2006,destination information 2016, file information 2026, session information2014, bytes uploaded or downloaded 2022, and DLP information 2012. Inimplementations, DLP information 2012 is not logged for bypassed CARsbecause they are not subjected to content inspection. Inimplementations, the metadata information 2000 for respective bypassedCARs is stored and presented across the management plane (MP) 420 foreasy and granular inspection by an administrator. Metadata information2000 can also be stored as metadata 752.

Having described the sample metadata structures, the discussion nowturns to an example computer system on which the technology disclosedcan be operated.

Computer System

FIG. 21 is a simplified block diagram of a computer system 2100 that canbe used to implement the technology disclosed. Computer system 2100includes at least one central processing unit (CPU) 2172 thatcommunicates with a number of peripheral devices via bus subsystem 2155.These peripheral devices can include a storage subsystem 2110 including,for example, memory devices and a file storage subsystem 2136, userinterface input devices 2138, user interface output devices 2176, and anetwork interface subsystem 2174. The input and output devices allowuser interaction with computer system 2100. Network interface subsystem2174 provides an interface to outside networks, including an interfaceto corresponding interface devices in other computer systems.

In one implementation, the network security system (NSS) 120 iscommunicably linked to the storage subsystem 2110 and the user interfaceinput devices 2138.

User interface input devices 2138 can include a keyboard; pointingdevices such as a mouse, trackball, touchpad, or graphics tablet; ascanner; a touch screen incorporated into the display; audio inputdevices such as voice recognition systems and microphones; and othertypes of input devices. In general, use of the term “input device” isintended to include all possible types of devices and ways to inputinformation into computer system 2100.

User interface output devices 2176 can include a display subsystem, aprinter, a fax machine, or non-visual displays such as audio outputdevices. The display subsystem can include an LED display, a cathode raytube (CRT), a flat-panel device such as a liquid crystal display (LCD),a projection device, or some other mechanism for creating a visibleimage. The display subsystem can also provide a non-visual display suchas audio output devices. In general, use of the term “output device” isintended to include all possible types of devices and ways to outputinformation from computer system 2100 to the user or to another machineor computer system.

Storage subsystem 2110 stores programming and data constructs thatprovide the functionality of some or all of the modules and methodsdescribed herein. Subsystem 2178 can be graphics processing units (GPUs)or field-programmable gate arrays (FPGAs).

Memory subsystem 2122 used in the storage subsystem 2110 can include anumber of memories including a main random access memory (RAM) 2132 forstorage of instructions and data during program execution and a readonly memory (ROM) 2134 in which fixed instructions are stored. A filestorage subsystem 2136 can provide persistent storage for program anddata files, and can include a hard disk drive, a floppy disk drive alongwith associated removable media, a CD-ROM drive, an optical drive, orremovable media cartridges. The modules implementing the functionalityof certain implementations can be stored by file storage subsystem 2136in the storage subsystem 2110, or in other machines accessible by theprocessor.

Bus subsystem 2155 provides a mechanism for letting the variouscomponents and subsystems of computer system 2100 communicate with eachother as intended. Although bus subsystem 2155 is shown schematically asa single bus, alternative implementations of the bus subsystem can usemultiple busses.

Computer system 2100 itself can be of varying types including a personalcomputer, a portable computer, a workstation, a computer terminal, anetwork computer, a television, a mainframe, a server farm, awidely-distributed set of loosely networked computers, or any other dataprocessing system or user device. Due to the ever-changing nature ofcomputers and networks, the description of computer system 2100 depictedin FIG. 21 is intended only as a specific example for purposes ofillustrating the preferred embodiments of the present invention. Manyother configurations of computer system 2100 are possible having more orless components than the computer system depicted in FIG. 21.

Having described an example computer system on which the technologydisclosed can be operated, the discussion now turns to some particularimplementations.

Particular Implementations

The technology disclosed relates to reducing latency and error insecurity enforcement by a network security system (NSS) which comprisesa data inspection and loss prevention appliance (DILPA). The technologydisclosed also relates to conserving inspection bandwidth of the DILPA.

Performance-Based Bypass

Client-Side, Non-Intercepting Complete Bypass

A system implementation of the technology disclosed from the perspectiveof an endpoint routing client includes one or more processors coupled tothe memory. The memory is loaded with computer instructions to conserveinspection bandwidth of a data inspection and loss prevention appliance(DILPA).

A plurality of connection access requests are received at an endpointrouting client running on a same device from which the requestsoriginated. Such connection access requests include loss preventioninspectable requests and bandwidth conservable requests.

In advance of receiving the connection access requests, the endpointrouting client is configured with a performance bypass list of bandwidthconservable destination identifiers for which inspection bandwidth ofthe DILPA can be conserved by bypassing the DILPA. As a result, thebandwidth conservable destination identifiers are not subject to routingthrough the DILPA.

Upon receiving the connection access requests, the endpoint routingclient compares at least a substring of an incoming connection accessrequest to entries in the performance bypass list and classifies theincoming connection access request as loss prevention inspectable orbandwidth conservable.

Upon classifying the connection access request as loss preventioninspectable, the endpoint routing client tunnels the loss preventioninspectable connection access request through a secure encrypted channelto the DILPA, which is interposed between the device and a first serverat a destination specified by the loss prevention inspectable connectionaccess request.

Upon classifying the connection access request as bandwidth conservable,the endpoint routing client bypasses the DILPA by sending the bandwidthconservable connection request from the device to a second server at adestination specified by the bandwidth conservable connection accessrequest.

This system implementation and other systems disclosed optionallyinclude one or more of the following features. System can also includefeatures described in connection with methods disclosed. In the interestof conciseness, alternative combinations of system features are notindividually enumerated. Features applicable to systems, methods, andarticles of manufacture are not repeated for each statutory class set ofbase features. The reader will understand how features identified inthis section can readily be combined with base features in otherstatutory classes.

The connection access requests can be unified resource locator (URL)requests and the incoming connection access request can be an incomingURL request. The bandwidth conservable destination identifiers can beidentifiers that identify domain names. The bandwidth conservabledestination identifiers can be identifiers that identify subdomainnames. The bandwidth conservable destination identifiers can beidentifiers that identify URLs. The bandwidth conservable destinationidentifiers can be identifiers that identify content types. Thebandwidth conservable destination identifiers can be identifiers thatidentify web categories. In such an implementation, the performancebypass list can identify a set number of most frequently visited domainsfor each of the web categories.

The bandwidth conservable destination identifiers can be identifiersthat identify system services. The bandwidth conservable destinationidentifiers can be identifiers that identify certificate pinnedapplications. The bandwidth conservable destination identifiers can beidentifiers that identify server names (e.g., server name indications(SNIs), HOST headers). The bandwidth conservable destination identifierscan be identifiers that identify network location profiles. Thebandwidth conservable destination identifiers can be identifiers thatidentify source countries.

The bandwidth conservable destination identifiers can be identifiersthat identify source Internet Protocol (IP) address and/or ranges and/orsubnets for the source IP address. The bandwidth conservable destinationidentifiers can be identifiers that identify destination IP addressand/or ranges and/or subnets for the destination IP address.

The bandwidth conservable destination identifiers can be automaticallyconfigured using a URL classification service. The bandwidth conservabledestination identifiers can also be automatically configured based onsystem services applicable to and/or running on the device.

Server-Side, Intercepting Internal Bypass

When the network security system (NSS) receives a given connectionaccess request that is classified as loss prevention inspectable by theendpoint routing client, such request can be tunneled through the secureencrypted channel. The request can identify a given server nameindication (SNI). When the NSS receives data packets from the givenserver, it can determine from a packet header of the data packets thatthe data packets belong to a bandwidth conservable content type. Basedon such a determination, the NSS can internally bypass inspection of thedata packets belonging to the bandwidth conservable content type by theDILPA.

The NSS can also generate a bandwidth conservable classification for theSNI based on the determination that the data packets belongs to abandwidth conservable content type. The NSS can then store the bandwidthconservable classification in a supplemental bypass list.

Further, upon receiving further connection access requests that areaccompanied by the given server name, the NSS can bypass inspection ofsuch requests by the DILPA based on identifying the given server name inthe supplemental bypass list.

In addition, the NSS can send the supplemental bypass list to theendpoint routing client.

Also, based on the determination, the NSS can generate a bandwidthconservable classification for the given connection access request andcan store the bandwidth conservable classification in the supplementalbypass list.

When the network security system (NSS) receives the given connectionaccess request, it can compare at least a substring of the givenconnection access request to entries in the supplemental bypass list.Based on the comparison, the NSS can determine that the given connectionaccess request is bandwidth conservable. Based on such a determination,the NSS can internally bypass inspection of the given connection accessrequest by the DILPA, which in turn includes sending the givenconnection access request to the given server.

Based on the supplemental bypass list received from the NSS, theendpoint routing client can determine whether further incomingconnection access requests are loss prevention inspectable or bandwidthconservable.

DILPA can be a cloud-based data inspection and loss prevention appliance(CBDILPA). In other implementations, the DILPA can be an on-premise datainspection and loss prevention appliance (ONDILPA).

The device can be an off-organization-network device. The system furtherincludes a web management interface (WMI) for configuring the bandwidthconservable destination identifiers.

The network security system (NSS) can generate separate performancebypass lists for different bandwidth conservable destinationidentifiers. The NSS can then send the separate performance bypass liststo the endpoint routing client. The NSS can also generate a unifiedperformance bypass list for different bandwidth conservable destinationidentifiers. The NSS can then send the unified performance bypass listto the endpoint routing client. The NSS can also periodically update theperformance bypass list(s) sent to the endpoint routing client. In someimplementations, the performance bypass list(s) is stored at theendpoint routing client as a proxy auto-config (PAC) file.

Other implementations may include a non-transitory computer readablestorage medium storing instructions executable by a processor to performfunctions of the system described above.

Another system implementation of the technology disclosed from theperspective of an on-premise routing proxy (OPERP) includes one or moreprocessors coupled to the memory. The memory is loaded with computerinstructions to conserve inspection bandwidth of a data inspection andloss prevention appliance (DILPA).

A plurality of connection access requests are received at an on-premiserouting proxy (OPERP) from endpoints running within an organizationnetwork. Such connection access requests include loss preventioninspectable requests and bandwidth conservable requests.

In advance of receiving the connection access requests, the OPERP isconfigured with a performance bypass list of bandwidth conservabledestination identifiers for which inspection bandwidth of the DILPA canbe conserved by bypassing the DILPA. As a result, the bandwidthconservable destination identifiers are not subject to routing throughthe DILPA.

Upon receiving the connection access requests, the OPERP compares atleast a substring of an incoming connection access request to entries inthe performance bypass list and classifies the incoming connectionaccess request as loss prevention inspectable or bandwidth conservable.

Upon classifying the connection access request as loss preventioninspectable, the OPERP tunnels the loss prevention inspectableconnection access request through a secure encrypted channel to theDILPA, which is interposed between the OPERP and a first server at adestination specified by the loss prevention inspectable connectionaccess request.

Upon classifying the connection access request as bandwidth conservable,the OPERP bypasses the DILPA by sending the bandwidth conservableconnection request from an endpoint to a second server at a destinationspecified by the bandwidth conservable connection access request.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this system implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform functions of thesystem described above.

Yet another system implementation of the technology disclosed from theperspective of a network security system (NSS) which comprises a datainspection and loss prevention appliance (DILPA) includes one or moreprocessors coupled to the memory. The memory is loaded with computerinstructions to conserve inspection bandwidth of the DILPA.

The NSS comprises a deployer. The deployer periodically updatesperformance bypass lists deployed to endpoint routing clients running ondevices.

The performance bypass lists identify bandwidth conservable destinationidentifiers for which inspection bandwidth of the DILPA can be conservedby bypassing the DILPA. As a result, the bandwidth conservabledestination identifiers are not subject to routing through the DILPA.

The performance bypass lists are used by the endpoint routing clients toclassify incoming connection access requests as loss preventioninspectable or bandwidth conservable.

The DILPA inspects loss prevention inspectable connection accessrequests, which are identified as such based on the performance bypasslist-based classification by the endpoint routing clients. In someimplementations, the DILPA also applies a data loss prevention policy onthe loss prevention inspectable connection access requests.

The DILPA remains agnostic to bandwidth conservable connection accessrequests, which are identified as such based on the performance bypasslist-based classification by the endpoint routing clients.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this system implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform functions of thesystem described above.

A method implementation of the technology disclosed from the perspectiveof an endpoint routing client includes conserving inspection bandwidthof a data inspection and loss prevention appliance (DILPA).

The method includes receiving a plurality of connection access requestsat an endpoint routing client running on a same device from which therequests originated. Such connection access requests include lossprevention inspectable requests and bandwidth conservable requests.

The method includes, in advance of receiving the connection accessrequests, configuring the endpoint routing client with a performancebypass list of bandwidth conservable destination identifiers for whichinspection bandwidth of the DILPA can be conserved by bypassing theDILPA. As a result, the bandwidth conservable destination identifiersare not subject to routing through the DILPA.

The method includes the endpoint routing client comparing at least asubstring of an incoming connection access request to entries in theperformance bypass list and classifying the incoming connection accessrequest as loss prevention inspectable or bandwidth conservable.

The method includes, in response to classifying the connection accessrequest as loss prevention inspectable, the endpoint routing clienttunneling the loss prevention inspectable connection access requestthrough a secure encrypted channel to the DILPA, which is interposedbetween the device and a first server at a destination specified by theloss prevention inspectable connection access request.

The method includes, in response to classifying the connection accessrequest as bandwidth conservable, the endpoint routing client bypassingthe DILPA by sending the bandwidth conservable connection access requestfrom the device to a second server at a destination specified by thebandwidth conservable connection access request.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this method implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform the method describedabove. Yet another implementation may include a system including memoryand one or more processors operable to execute instructions, stored inthe memory, to perform the method described above.

Another method implementation of the technology disclosed from theperspective of an on-premise routing proxy (OPERP) includes conservinginspection bandwidth of a data inspection and loss prevention appliance(DILPA).

The method includes receiving a plurality of connection access requestsat an on-premise routing proxy (OPERP) from endpoints running within anorganization network. Such connection access requests include lossprevention inspectable requests and bandwidth conservable requests.

The method includes, in advance of receiving the connection accessrequests, configuring the OPERP with a performance bypass list ofbandwidth conservable destination identifiers for which inspectionbandwidth of the DILPA can be conserved by bypassing the DILPA. As aresult, the bandwidth conservable destination identifiers are notsubject to routing through the DILPA.

The method includes the OPERP comparing at least a substring of anincoming connection access request to entries in the performance bypasslist and classifying the incoming connection access request as lossprevention inspectable or bandwidth conservable.

The method includes, in response to classifying the connection accessrequest as loss prevention inspectable, the OPERP tunneling the lossprevention inspectable connection access request through a secureencrypted channel to the DILPA, which is interposed between the OPERPand a first server at a destination specified by the loss preventioninspectable connection access request.

The method includes, in response to classifying the connection accessrequest as bandwidth conservable, the OPERP bypassing the DILPA bysending the bandwidth conservable connection access request from anendpoint to a second server at a destination specified by the bandwidthconservable connection access request.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this method implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform the method describedabove. Yet another implementation may include a system including memoryand one or more processors operable to execute instructions, stored inthe memory, to perform the method described above.

Web Category-Based Bypass

Yet another system implementation of the technology disclosed from theperspective of an endpoint routing client includes one or moreprocessors coupled to the memory. The memory is loaded with computerinstructions to conserve inspection bandwidth of a data inspection andloss prevention appliance (DILPA).

An incoming connection access request is received at an endpoint routingclient running on a same device from which the request originated. Therequest comprises a domain name.

In advance of receiving the request, the endpoint routing client isconfigured with a web category bypass list of bandwidth conservable webcategories for which inspection bandwidth of the DILPA can be conservedby bypassing the DILPA. As a result, the bandwidth conservable webcategories are not subject to routing through the DILPA. The endpointrouting client is also configured with a domain bypass list of bandwidthconservable domain names in each of the bandwidth conservable webcategories in the web category bypass list.

When the domain name is not in the domain bypass list, the endpointrouting client queries and receives a web category for the domain name.In one implementation, the endpoint routing client queries a storagemodule of the network security system (NSS) and receives the webcategory from the storage module. In another implementation, theendpoint routing client queries a local module of the endpoint routingclient and receives the web category from the local module.

The endpoint routing client compares the received web category toentries in the web category bypass list and classifies the domain nameas loss prevention inspectable or bandwidth conservable.

Upon classifying the domain name as loss prevention inspectable, theendpoint routing client tunnels the incoming connection access requestand further incoming connection access requests that comprise the domainname through a secure encrypted channel to the DILPA, which isinterposed between the device and respective destination serversspecified by the incoming and further incoming connection accessrequests.

Upon classifying the domain name as bandwidth conservable, the endpointrouting client bypasses the DILPA by sending the incoming connectionaccess request and further incoming connection access requests thatcomprise the domain name from the device to the respective destinationservers.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this system implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference.

The endpoint routing client updates the domain bypass list based on abandwidth conservable classification of the domain name. The bandwidthconservable classification can be accompanied with a time to live (TTL)parameter. When the bandwidth conservable classification expires basedon the TTL parameter, the endpoint routing client can query and receivea web category for the domain name (from the storage module or the localmodule) and reclassify the domain name as loss prevention inspectable orbandwidth conservable based on the received web category.

The network security system (NSS) can periodically update the webcategory bypass list and the domain bypass list sent to the endpointrouting client.

The endpoint routing client can receive a domain whitelist (from thestorage module or the local module) that identifies one or more lossprevention inspectable domain names that are subject to inspection bythe DILPA irrespective of belonging to a bandwidth conservable webcategory. The endpoint routing client can then tunnel connection accessrequests that comprise the loss prevention inspectable domain namesthrough the secure encrypted channel to the DILPA.

Other implementations may include a non-transitory computer readablestorage medium storing instructions executable by a processor to performfunctions of the system described above.

Yet another method implementation of the technology disclosed from theperspective of an endpoint routing client includes conserving inspectionbandwidth of a data inspection and loss prevention appliance (DILPA).

The method includes receiving an incoming connection access request atan endpoint routing client running on a same device from which therequest originated. The request comprises a domain name.

The method includes, in advance of receiving the request, configuringthe endpoint routing client with a web category bypass list of bandwidthconservable web categories for which inspection bandwidth of the DILPAcan be conserved by bypassing the DILPA. As a result, the bandwidthconservable web categories are not subject to routing through the DILPA.

The method also includes configuring the endpoint routing client with adomain bypass list of bandwidth conservable domain names in each of thebandwidth conservable web categories in the web category bypass list.

When the domain name is not in the domain bypass list, the methodincludes the endpoint routing client querying and receiving a webcategory for the domain name. In one implementation, the endpointrouting client queries a storage module of the network security system(NSS) and receives the web category from the storage module. In anotherimplementation, the endpoint routing client queries a local module ofthe endpoint routing client and receives the web category from the localmodule.

The method includes the endpoint routing client comparing the receivedweb category to entries in the web category bypass list and classifyingthe domain name as loss prevention inspectable or bandwidth conservable.

The method includes, in response to classifying the domain name as lossprevention inspectable, the endpoint routing client tunneling theincoming connection access request and further incoming connectionaccess requests that comprise the domain name through a secure encryptedchannel to the DILPA, which is interposed between the device andrespective destination servers specified by the incoming and furtherincoming connection access requests.

The method includes, in response to classifying the domain name asbandwidth conservable, the endpoint routing client bypassing the DILPAby sending the incoming connection access request and further incomingconnection access requests that comprise the domain name from the deviceto the respective destination servers.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this method implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform the method describedabove. Yet another implementation may include a system including memoryand one or more processors operable to execute instructions, stored inthe memory, to perform the method described above.

Error-Based Bypass

Another system implementation of the technology disclosed from theperspective of the network security system (NSS) includes one or moreprocessors coupled to the memory. The memory is loaded with computerinstructions to reduce error in security enforcement by the NSS.

The NSS receives over a monitored channel a plurality of connectionaccess requests from an endpoint routing client running on a device.Such connection access requests include loss prevention inspectablerequests and connection preserving requests.

The NSS decrypts an incoming connection access request and determinesconformance or non-conformance of the connection access request withsemantic and content requirements of a protocol established for themonitored channel.

In one implementation, the monitored channel is Port 80 and theestablished protocol is Hypertext Transfer Protocol (abbreviated HTTP).In another implementation, the monitored channel is Port 443 and theestablished protocol is Hypertext Transfer Protocol Secure (abbreviatedHTTPS).

The semantic and content requirements apply to request methods, requestheader fields, request payload metadata, and request payload bodycontent of the protocol established for the monitored channel. Thesemantic and content requirements can be loaded onto an error bypasslist and made available to the NSS. Additional information about thesemantic and content requirements can be found in Wikipediacontributors, ‘List of HTTP header fields’, Wikipedia, The FreeEncyclopedia, 17 Apr. 2018, 09:04 UTC,<https://en.wikipedia.org/w/index.php?title=List_of_HTTP_header_fields&oldid=836864202>[accessed 19 Apr. 2018]; Wikipedia contributors, ‘HTTPS’, Wikipedia, TheFree Encyclopedia, 17 Apr. 2018, 03:27 UTC,<https://en.wikipedia.org/w/index.php?title=HTTPS&oldid=836835625>[accessed 19 Apr. 2018]; Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Semantics and Content’. R. Fielding, Ed.,J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7231.pdf>[accessed 19 Apr. 2018]; and Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Message Syntax and Routing’. R. Fielding,Ed., J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7230.pdf>[accessed 19 Apr. 2018], which are incorporated by reference herein intheir entirety.

In some implementations, semantic and content based comparison involveskeyword matching, pattern matching, string or substring matching, exactmatching, and regular expression matching.

Based on the determination, the NSS classifies the connection accessrequest as loss prevention inspectable or connection preserving.

In response to classifying the connection access request as lossprevention inspectable, the NSS forwards the loss prevention inspectableconnection access request to a data inspection and loss preventionappliance (abbreviated DILPA) for deep inspection. The DILPA isinterposed between the device and a first server at a destinationspecified by the loss prevention inspectable connection access request.

In response to classifying the connection access request as connectionpreserving, the NSS sends the connection preserving connection accessrequest to a second server at a destination specified by the connectionpreserving connection access request, preventing request termination anderror generation by the NSS.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this system implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference.

In another implementation, the NSS receives over the monitored channel aplurality of connection access responses from destination servers. Suchconnection access responses include loss prevention inspectableresponses and connection preserving responses.

The NSS decrypts an incoming connection access response and determinesconformance or non-conformance of the connection access response withsemantic and content requirements of the protocol established for themonitored channel.

In one implementation, the monitored channel is Port 80 and theestablished protocol is Hypertext Transfer Protocol (abbreviated HTTP).In another implementation, the monitored channel is Port 443 and theestablished protocol is Hypertext Transfer Protocol Secure (abbreviatedHTTPS).

The semantic and content requirements apply to response methods,response header fields, response payload metadata, and response payloadbody content of the protocol established for the monitored channel. Thesemantic and content requirements can be loaded onto an error bypasslist and made available to the NSS. Additional information about thesemantic and content requirements can be found in Wikipediacontributors, ‘List of HTTP header fields’, Wikipedia, The FreeEncyclopedia, 17 Apr. 2018, 09:04 UTC,<https://en.wikipedia.org/w/index.php?title=List_of_HTTP_header_fields&oldid=836864202>[accessed 19 Apr. 2018]; Wikipedia contributors, ‘HTTPS’, Wikipedia, TheFree Encyclopedia, 17 Apr. 2018, 03:27 UTC,<https://en.wikipedia.org/w/index.php?title=HTTPS&oldid=836835625>[accessed 19 Apr. 2018]; Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Semantics and Content’. R. Fielding, Ed.,J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7231.pdf>[accessed 19 Apr. 2018]; and Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Message Syntax and Routing’. R. Fielding,Ed., J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7230.pdf>[accessed 19 Apr. 2018], which are incorporated by reference herein intheir entirety.

In some implementations, semantic and content based comparison involveskeyword matching, pattern matching, string or substring matching, exactmatching, and regular expression matching. That is, the header andpayload of a request or response can be compared that of a standard HTTPor HTTPS header and payload of a request or response on a semantic andcontent basis to determine conformance or non-conformance with HTTP orHTTPS protocol.

Based on the determination, the NSS classifies the connection accessresponse as loss prevention inspectable or connection preserving;

In response to classifying the connection access response as lossprevention inspectable, the NSS forwards the loss prevention inspectableconnection access response to the DILPA for deep inspection.

In response to classifying the connection access response as connectionpreserving, the NSS directly sends the connection preserving connectionaccess response to a requesting client device, preventing responsetermination and error generation by the NSS.

When the certificate error is caused by an unsupported cipher, the NSScan block the loss prevention inspectable connection access request.

In another implementation, internal deep inspection bypass of aconnection access request (CAR) can occur when the client fails toperform the handshake and thus errors out. In such an implementation,the domain name associated with the CAR can be stored in the storage 460as part of the error bypass list for future bypassing.

When the NSS receives a given connection access request that invokes arequested non-HTTP protocol on a requested HTTP channel, it determinesthat the requested non-HTTP protocol is a connection preserving protocolbased on non-conformance with the semantic and content requirements ofthe HTTP. Based on the determination, the NSS internally bypasses deepinspection by the DILPA of the given connection access request. Thisincludes sending the given connection access request to a givendestination server specified by the given connection access request andrelaying responses from the given destination server directly to thedevice.

When the NSS receives a given connection access request that invokes arequested non-HTTPS protocol on a requested HTTPS channel, it determinesthat the requested non-HTTPS protocol is a connection preservingprotocol based on non-conformance with the semantic and contentrequirements of the HTTPS. Based on the determination, the NSSinternally bypasses deep inspection by the DILPA of the given connectionaccess request. This includes sending the given connection accessrequest to a given destination server specified by the given connectionaccess request and relaying responses from the given destination serverdirectly to the device.

When the NSS receives a given connection access request that invokes arequested non-HTTP protocol on a requested HTTPS channel, it determinesthat the requested non-HTTP protocol is a connection preserving protocolbased on non-conformance with the semantic and content requirements ofthe HTTPS. Based on the determination, the NSS internally bypasses deepinspection by the DILPA of the given connection access request. Thisincludes sending the given connection access request to a givendestination server specified by the given connection access request andrelaying responses from the given destination server directly to thedevice.

In one implementation involving HTTPS traffic, the NSS receives anincoming connection access request from the endpoint routing client. Theconnection access request is issued by an application client running onthe device and comprises a server name identification (abbreviated SNI)that identifies the application. The NSS then looks up the SNI in anerror bypass list and determines that the application client is pinnedto an application-specific certificate and does not trust a NSScertificate. Based on the determination, the NSS internally bypassesdeep inspection by the DILPA of the connection access request. Thisincludes sending the connection access request to a destination serverspecified by the connection access request and relaying responses fromthe destination server directly to the device.

In another implementation involving HTTP traffic, the NSS receives anincoming connection access request from the endpoint routing client. Theconnection access request is issued by an application client running onthe device and comprises a host header that identifies the application.The NSS then looks up the host header in an error bypass list anddetermines that the application client is pinned to anapplication-specific certificate and does not trust a NSS certificate.Based on the determination, the NSS internally bypasses deep inspectionby the DILPA of the connection access request. This includes sending theconnection access request to a destination server specified by theconnection access request and relaying responses from the destinationserver directly to the device.

In one implementation involving HTTPS traffic, the NSS receives anincoming connection access request from the endpoint routing client. Theconnection access request is issued by an application client running onthe device and does not comprise a server name identification(abbreviated SNI) that identifies the application. The NSS then receivesa response to the connection access request from a destination serverspecified by the connection access request. The response comprises acertificate with the SNI which identifies the application. Advancingahead, the NSS looks up the SNI in an error bypass list and determinesthat the application client is pinned to an application-specificcertificate and does not trust a NSS certificate. Based on thedetermination, the NSS internally bypasses deep inspection by the DILPAof the response.

In one implementation involving HTTP traffic, the NSS receives anincoming connection access request from the endpoint routing client. Theconnection access request is issued by an application client running onthe device and does not comprise a host header that identifies theapplication. The NSS then receives a response to the connection accessrequest from a destination server specified by the connection accessrequest. The response comprises a certificate with the host header whichidentifies the application. Advancing ahead, the NSS looks up the SNI inan error bypass list and determines that the application client ispinned to an application-specific certificate and does not trust a NSScertificate. Based on the determination, the NSS internally bypassesdeep inspection by the DILPA of the response.

The NSS receives, from a destination server, a connection accessresponse that comprises a certificate. The NSS inspects the certificatefor validation and detects a certificate error. Based on the detection,the NSS internally bypasses deep inspection by the DILPA of theconnection access response. The certificate error can be caused by atleast one of an untrusted root certificate and an incomplete certificatechain. When the certificate error is caused by an unsupported cipher,the NSS blocks the connection access response.

When the NSS detects a protocol error while processing a connectionaccess request from a requesting client device, it responds bypreserving the connection access request. Connection preservationincludes terminating further processing of the connection access request(e.g., by the DIPLA) and directly forwarding the connection accessrequest to a specified destination server.

When the NSS detects a protocol error while processing a connectionaccess response from a destination server, it responds by preserving theconnection access response. Connection preservation includes terminatingfurther processing of the connection access response (e.g., by theDIPLA) and directly forwarding the connection access response to arequesting client device.

Other implementations may include a non-transitory computer readablestorage medium storing instructions executable by a processor to performfunctions of the system described above.

Another computer-implemented method implementation of the technologydisclosed from the perspective of the network security system (NSS)includes reducing error in security enforcement by the NSS.

The method includes the NSS receiving over a monitored channel aplurality of connection access requests from an endpoint routing clientrunning on a device, the requests including loss prevention inspectablerequests and connection preserving requests.

The method includes the NSS decrypting an incoming connection accessrequest and determining conformance or non-conformance of the connectionaccess request with semantic and content requirements of a protocolestablished for the monitored channel.

In one implementation, the monitored channel is Port 80 and theestablished protocol is Hypertext Transfer Protocol (abbreviated HTTP).In another implementation, the monitored channel is Port 443 and theestablished protocol is Hypertext Transfer Protocol Secure (abbreviatedHTTPS).

The semantic and content requirements apply to request methods, requestheader fields, request payload metadata, and request payload bodycontent of the protocol established for the monitored channel. Thesemantic and content requirements can be loaded onto an error bypasslist and made available to the NSS. Additional information about thesemantic and content requirements can be found in Wikipediacontributors, ‘List of HTTP header fields’, Wikipedia, The FreeEncyclopedia, 17 Apr. 2018, 09:04 UTC,<https://en.wikipedia.org/w/index.php?title=List_of_HTTP_header_fields&oldid=836864202>[accessed 19 Apr. 2018]; Wikipedia contributors, ‘HTTPS’, Wikipedia, TheFree Encyclopedia, 17 Apr. 2018, 03:27 UTC,<https://en.wikipedia.org/w/index.php?title=HTTPS&oldid=836835625>[accessed 19 Apr. 2018]; Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Semantics and Content’. R. Fielding, Ed.,J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7231.pdf>[accessed 19 Apr. 2018]; and Internet Engineering Task Force, ‘HypertextTransfer Protocol (HTTP/1.1): Message Syntax and Routing’. R. Fielding,Ed., J. Reschke, Ed. June 2014, <https://tools.ietf.org/pdf/rfc7230.pdf>[accessed 19 Apr. 2018], which are incorporated by reference herein intheir entirety.

The method includes, based on the determination, the NSS classifying theconnection access request as loss prevention inspectable or connectionpreserving.

The method includes, in response to classifying the connection accessrequest as loss prevention inspectable, the NSS forwarding the lossprevention inspectable connection access request to the DILPA for deepinspection. The DILPA is interposed between the device and a firstserver at a destination specified by the loss prevention inspectableconnection access request.

The method includes, in response to classifying the connection accessrequest as connection preserving, the NSS sending the connectionpreserving connection access request to a second server at a destinationspecified by the connection preserving connection access request,preventing request termination and error generation by the NSS.

Each of the features discussed in this particular implementation sectionfor other implementations apply equally to this method implementation.As indicated above, all the system features are not repeated here andshould be considered repeated by reference. Other implementations mayinclude a non-transitory computer readable storage medium storinginstructions executable by a processor to perform the method describedabove. Yet another implementation may include a system including memoryand one or more processors operable to execute instructions, stored inthe memory, to perform the method described above.

Any data structures and code described or referenced above are storedaccording to many implementations on a computer-readable storage medium,which may be any device or medium that can store code and/or data foruse by a computer system. This includes, but is not limited to, volatilememory, non-volatile memory, application-specific integrated circuits(ASICs), field-programmable gate arrays (FPGAs), magnetic and opticalstorage devices such as disk drives, magnetic tape, CDs (compact discs),DVDs (digital versatile discs or digital video discs), or other mediacapable of storing computer-readable media now known or later developed.

The preceding description is presented to enable the making and use ofthe technology disclosed. Various modifications to the disclosedimplementations will be apparent, and the general principles definedherein may be applied to other implementations and applications withoutdeparting from the spirit and scope of the technology disclosed. Thus,the technology disclosed is not intended to be limited to theimplementations shown, but is to be accorded the widest scope consistentwith the principles and features disclosed herein. The scope of thetechnology disclosed is defined by the appended claims.

The technology disclosed can be practiced as a system, method, and anarticle of manufacture. One or more features of an implementation can becombined with the base implementation. Implementations that are notmutually exclusive are taught to be combinable. One or more features ofan implementation can be combined with other implementations. Thisdisclosure periodically reminds the user of these options. Omission fromsome implementations of recitations that repeat these options should notbe taken as limiting the combinations taught in the precedingsections—these recitations are hereby incorporated forward by referenceinto each of the following implementations.

What is claimed is:
 1. A computer-implemented method, including:conserving inspection bandwidth of a data inspection and loss preventionappliance (abbreviated DILPA), including receiving an incomingconnection access request at an endpoint routing client running on asame device from which the request originated, the request comprising adomain name; the endpoint routing client having previously received aweb category bypass list of bandwidth conservable web categories forwhich inspection bandwidth of the DILPA can be conserved by bypassingthe DILPA, and a domain bypass list of bandwidth conservable domainnames in each of the bandwidth conservable web categories in the webcategory bypass list; when the domain name is not in the domain bypasslist, the endpoint routing client querying and receiving a web categoryfor the domain name; the endpoint routing client comparing the receivedweb category to entries in the web category bypass list and classifyingthe domain name as loss prevention inspectable or bandwidth conservable;in response to classifying the domain name as loss preventioninspectable, the endpoint routing client tunneling the incomingconnection access request and further incoming connection accessrequests that comprise the domain name through a secure encryptedchannel to the DILPA interposed between the device and respectivedestination servers specified by the incoming and further incomingconnection access requests; and in response to classifying the domainname as bandwidth conservable, the endpoint routing client sending theincoming connection access request and further incoming connectionaccess requests that comprise the domain name from the device to therespective destination servers, bypassing the DILPA.
 2. Thecomputer-implemented method of claim 1, further including: the endpointrouting client updating the domain bypass list based on a bandwidthconservable classification of the domain name.
 3. Thecomputer-implemented method of claim 2, wherein the bandwidthconservable classification is accompanied with a time to live(abbreviated TTL) parameter.
 4. The computer-implemented method of claim3, further including: when the bandwidth conservable classification hasexpired based on the TTL parameter, the endpoint routing client queryingand receiving a web category for the domain name; and the endpointrouting client reclassifying the domain name as loss preventioninspectable or bandwidth conservable based on the received web category.5. The computer-implemented method of claim 1, further including: anetwork security system (abbreviated NSS) that comprises the DILPAperiodically updating the web category bypass list and the domain bypasslist sent to the endpoint routing client.
 6. The computer-implementedmethod of claim 1, further including: the endpoint routing clientreceiving a domain whitelist that identifies one or more loss preventioninspectable domain names that are subject to inspection by the DILPAirrespective of belonging to a bandwidth conservable web category; andthe endpoint routing client tunneling connection access requests thatcomprise the loss prevention inspectable domain names through the secureencrypted channel to the DILPA.
 7. The computer-implemented method ofclaim 1, further including: receiving a plurality of connection accessrequests at an on-premise endpoint routing proxy (abbreviated OPERP)from endpoints running within an organization network, the requestsincluding loss prevention inspectable requests and bandwidth conservablerequests; in advance of receiving the connection access requests, theOPERP having previously received a performance bypass list of bandwidthconservable destination identifiers for which inspection bandwidth ofthe DILPA can be conserved by bypassing the DILPA; the OPERP comparingat least a substring of an incoming connection access request to entriesin the performance bypass list and classifying the incoming connectionaccess request as loss prevention inspectable or bandwidth conservable;in response to classifying the connection access request as lossprevention inspectable, the OPERP tunneling the loss preventioninspectable connection access request through a secure encrypted channelto the DILPA interposed between the OPERP and a first server at adestination specified by the loss prevention inspectable connectionaccess request; and in response to classifying the connection accessrequest as bandwidth conservable, the OPERP sending the bandwidthconservable connection access request from an endpoint to a secondserver at a destination specified by the bandwidth conservableconnection access request, bypassing the DILPA.
 8. A system includingone or more processors coupled to memory, the memory loaded withcomputer instructions, the instructions, when executed on theprocessors, implement actions comprising: conserving inspectionbandwidth of a data inspection and loss prevention appliance(abbreviated DILPA), including receiving an incoming connection accessrequest at an endpoint routing client running on a same device fromwhich the request originated, the request comprising a domain name; theendpoint routing client having previously received a web category bypasslist of bandwidth conservable web categories for which inspectionbandwidth of the DILPA can be conserved by bypassing the DILPA, and adomain bypass list of bandwidth conservable domain names in each of thebandwidth conservable web categories in the web category bypass list;when the domain name is not in the domain bypass list, the endpointrouting client querying and receiving a web category for the domainname; the endpoint routing client comparing the received web category toentries in the web category bypass list and classifying the domain nameas loss prevention inspectable or bandwidth conservable; in response toclassifying the domain name as loss prevention inspectable, the endpointrouting client tunneling the incoming connection access request andfurther incoming connection access requests that comprise the domainname through a secure encrypted channel to the DILPA interposed betweenthe device and respective destination servers specified by the incomingand further incoming connection access requests; and in response toclassifying the domain name as bandwidth conservable, the endpointrouting client sending the incoming connection access request andfurther incoming connection access requests that comprise the domainname from the device to the respective destination servers, bypassingthe DILPA.
 9. The system of claim 8, further implementing actionscomprising: the endpoint routing client updating the domain bypass listbased on a bandwidth conservable classification of the domain name. 10.The system of claim 9, wherein the bandwidth conservable classificationis accompanied with a time to live (abbreviated TTL) parameter.
 11. Thesystem of claim 10, further implementing actions comprising: when thebandwidth conservable classification has expired based on the TTLparameter, the endpoint routing client querying and receiving a webcategory for the domain name; and the endpoint routing clientreclassifying the domain name as loss prevention inspectable orbandwidth conservable based on the received web category.
 12. The systemof claim 8, further implementing actions comprising: a network securitysystem (abbreviated NSS) that comprises the DILPA periodically updatingthe web category bypass list and the domain bypass list sent to theendpoint routing client.
 13. The system of claim 8, further implementingactions comprising: the endpoint routing client receiving a domainwhitelist that identifies one or more loss prevention inspectable domainnames that are subject to inspection by the DILPA irrespective ofbelonging to a bandwidth conservable web category; and the endpointrouting client tunneling connection access requests that comprise theloss prevention inspectable domain names through the secure encryptedchannel to the DILPA.
 14. The system of claim 8, further implementingactions comprising: receiving a plurality of connection access requestsat an on-premise endpoint routing proxy (abbreviated OPERP) fromendpoints running within an organization network, the requests includingloss prevention inspectable requests and bandwidth conservable requests;in advance of receiving the connection access requests, the OPERP havingpreviously received a performance bypass list of bandwidth conservabledestination identifiers for which inspection bandwidth of the DILPA canbe conserved by bypassing the DILPA; the OPERP comparing at least asubstring of an incoming connection access request to entries in theperformance bypass list and classifying the incoming connection accessrequest as loss prevention inspectable or bandwidth conservable; inresponse to classifying the connection access request as loss preventioninspectable, the OPERP tunneling the loss prevention inspectableconnection access request through a secure encrypted channel to theDILPA interposed between the OPERP and a first server at a destinationspecified by the loss prevention inspectable connection access request;and in response to classifying the connection access request asbandwidth conservable, the OPERP sending the bandwidth conservableconnection access request from an endpoint to a second server at adestination specified by the bandwidth conservable connection accessrequest, bypassing the DILPA.
 15. A non-transitory computer readablestorage medium impressed with computer program instructions, theinstructions, when executed on a processor, implement a methodcomprising: conserving inspection bandwidth of a data inspection andloss prevention appliance (abbreviated DILPA), including receiving anincoming connection access request at an endpoint routing client runningon a same device from which the request originated, the requestcomprising a domain name; the endpoint routing client having previouslyreceived a web category bypass list of bandwidth conservable webcategories for which inspection bandwidth of the DILPA can be conservedby bypassing the DILPA, and a domain bypass list of bandwidthconservable domain names in each of the bandwidth conservable webcategories in the web category bypass list; when the domain name is notin the domain bypass list, the endpoint routing client querying andreceiving a web category for the domain name; the endpoint routingclient comparing the received web category to entries in the webcategory bypass list and classifying the domain name as loss preventioninspectable or bandwidth conservable; in response to classifying thedomain name as loss prevention inspectable, the endpoint routing clienttunneling the incoming connection access request and further incomingconnection access requests that comprise the domain name through asecure encrypted channel to the DILPA interposed between the device andrespective destination servers specified by the incoming and furtherincoming connection access requests; and in response to classifying thedomain name as bandwidth conservable, the endpoint routing clientsending the incoming connection access request and further incomingconnection access requests that comprise the domain name from the deviceto the respective destination servers, bypassing the DILPA.
 16. Thenon-transitory computer readable storage medium of claim 15,implementing the method further comprising: the endpoint routing clientupdating the domain bypass list based on a bandwidth conservableclassification of the domain name.
 17. The non-transitory computerreadable storage medium of claim 16, wherein the bandwidth conservableclassification is accompanied with a time to live (abbreviated TTL)parameter.
 18. The non-transitory computer readable storage medium ofclaim 17, implementing the method further comprising: when the bandwidthconservable classification has expired based on the TTL parameter, theendpoint routing client querying and receiving a web category for thedomain name; and the endpoint routing client reclassifying the domainname as loss prevention inspectable or bandwidth conservable based onthe received web category.
 19. The non-transitory computer readablestorage medium of claim 15, implementing the method further comprising:a network security system (abbreviated NSS) that comprises the DILPAperiodically updating the web category bypass list and the domain bypasslist sent to the endpoint routing client.
 20. A network security system(NSS) that reduces latency in security enforcement, the NSS comprising:a deployer that periodically updates performance bypass lists deployedto endpoint routing clients running on devices, the performance bypasslists identifying exempt connection identifiers that are not subject torouting through a traffic inspection proxy (abbreviated TIP) and beingused by the endpoint routing clients to classify incoming connectionaccess requests as non-exempt or exempt; and the TIP that in dependenceupon the performance bypass list-based classification by the endpointrouting clients: inspects non-exempt incoming connection access requestsand applies a policy; and remains agnostic to exempt incoming connectionaccess requests.